Primary

Context

CKAN Unauthenticated SQL Injection Vulnerability in DataStore Search

Vulnerability

Patched

A vulnerability allowing unauthenticated SQL injection has been identified in CKAN versions prior to 2.10.10 and 2.11.5. This issue resides in the 'datastore_search_sql' function, where attackers could inject SQL to access private resources and PostgreSQL system information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to private resources and sensitive PostgreSQL system information.

Remediation

Users can upgrade to CKAN versions 2.10.10 or 2.11.5 to address this vulnerability. Alternatively, the DataStore SQL search feature can be disabled by setting 'ckan.datastore.sqlsearch.enabled' to 'false', although this feature is disabled by default.

Added: May 13, 2026, 7:30 PM

Updated: May 13, 2026, 7:30 PM

Vulnerability Rating

Custom Algorithm

spread

1.6

impact

2.5

exploitability

8.3

remediation

8.3

relevance

8.2

threat

0.3

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.6

impact

2.5

exploitability

8.3

remediation

8.3

relevance

8.2

threat

0.3

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CKAN Unauthenticated SQL Injection Vulnerability in DataStore Search

Vulnerability

Impact

Remediation

Affected Products

CKAN

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating