SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser

GHSA-73jc-5mrq-prw7 · CVE-2026-46374 · PYSEC-2026-210

Published May 19, 2026 · Modified Jun 13, 2026

Description

Impact

In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.

Patches

Versions 4.2.0 and up contain a configurable parse node limit, which is enabled by default, to prevent this manner of exploit.

Credit

Ori Nakar from Imperva Threat Research Team.

References

WEB https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-73jc-5mrq-prw7
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-46374
PACKAGE https://github.com/sqlfluff/sqlfluff

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes