SQLFluff: Recursive Stack Overflow in Parser

GHSA-wmhf-fqc8-vxhh · CVE-2026-46373 · PYSEC-2026-209

Published May 19, 2026 · Modified Jun 13, 2026

Description

Impact

In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.

Patches

Versions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit.

Credit

Ori Nakar from Imperva Threat Research Team.

References

WEB https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-46373
PACKAGE https://github.com/sqlfluff/sqlfluff

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes