GHSA-JFWG-RXF3-P7R9
Vulnerability from github – Published: 2026-04-06 17:56 – Updated: 2026-04-06 17:56Vulnerability Details
CWE: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
All 66+ CQL queries in internal/storage/db/cassandradb/ use fmt.Sprintf to interpolate user-controlled values directly into CQL query strings without parameterization.
Unauthenticated endpoints (signup, login, forgot_password, magic_link_login) pass user input directly into CQL query strings.
Note: This advisory covers the Cassandra CQL injection only. The Couchbase N1QL injection is tracked in a separate advisory per CVE rule 4.2.11.
Affected Code Pattern
// Before (VULNERABLE) - e.g. cassandradb/user.go
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = '%s'", table, email)
err := p.db.Query(query).Scan(...)
Steps to Reproduce
- Deploy Authorizer <= 2.0.0 with Cassandra backend
- Send a signup request with a CQL injection payload in the email field:
curl -X POST http://localhost:8080/graphql \
-H 'Content-Type: application/json' \
-d '{"query":"mutation { signup(params: { email: \"test'\" }) { message } }"}'
- The single quote breaks out of the CQL string literal, causing a CQL parse error that leaks internal schema information
- Crafted payloads can manipulate query logic to bypass authentication or extract data
Affected Files (10 Cassandra files)
| Package | File | Queries Fixed |
|---|---|---|
| cassandradb | user.go | 7 |
| cassandradb | otp.go | 4 |
| cassandradb | session_token.go | 19 |
| cassandradb | verification_requests.go | 4 |
| cassandradb | authenticator.go | 3 |
| cassandradb | email_template.go | 5 |
| cassandradb | webhook.go | 5 |
| cassandradb | webhook_log.go | 2 |
| cassandradb | session.go | 1 |
| cassandradb | env.go | 2 |
Impact
An unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgot_password, magic_link_login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.
Proposed Fix
Use parameterized queries:
// After (FIXED)
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = ?", table)
err := p.db.Query(query, email).Scan(...)
Fixed in https://github.com/authorizerdev/authorizer/pull/500 (merged 2026-03-27).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/authorizerdev/authorizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260327055742-73679faa53cd"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-943"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T17:56:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Vulnerability Details\n\n**CWE:** CWE-943 - Improper Neutralization of Special Elements in Data Query Logic\n\nAll 66+ CQL queries in `internal/storage/db/cassandradb/` use `fmt.Sprintf` to interpolate user-controlled values directly into CQL query strings without parameterization.\n\nUnauthenticated endpoints (`signup`, `login`, `forgot_password`, `magic_link_login`) pass user input directly into CQL query strings.\n\n**Note:** This advisory covers the Cassandra CQL injection only. The Couchbase N1QL injection is tracked in a separate advisory per CVE rule 4.2.11.\n\n## Affected Code Pattern\n\n```go\n// Before (VULNERABLE) - e.g. cassandradb/user.go\nquery := fmt.Sprintf(\"SELECT ... FROM %s WHERE email = \u0027%s\u0027\", table, email)\nerr := p.db.Query(query).Scan(...)\n```\n\n## Steps to Reproduce\n\n1. Deploy Authorizer \u003c= 2.0.0 with Cassandra backend\n2. Send a signup request with a CQL injection payload in the email field:\n\n```bash\ncurl -X POST http://localhost:8080/graphql \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"query\":\"mutation { signup(params: { email: \\\"test\u0027\\\" }) { message } }\"}\u0027\n```\n\n3. The single quote breaks out of the CQL string literal, causing a CQL parse error that leaks internal schema information\n4. Crafted payloads can manipulate query logic to bypass authentication or extract data\n\n## Affected Files (10 Cassandra files)\n\n| Package | File | Queries Fixed |\n|---------|------|--------------|\n| cassandradb | user.go | 7 |\n| cassandradb | otp.go | 4 |\n| cassandradb | session_token.go | 19 |\n| cassandradb | verification_requests.go | 4 |\n| cassandradb | authenticator.go | 3 |\n| cassandradb | email_template.go | 5 |\n| cassandradb | webhook.go | 5 |\n| cassandradb | webhook_log.go | 2 |\n| cassandradb | session.go | 1 |\n| cassandradb | env.go | 2 |\n\n## Impact\n\nAn unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgot_password, magic_link_login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.\n\n## Proposed Fix\n\nUse parameterized queries:\n\n```go\n// After (FIXED)\nquery := fmt.Sprintf(\"SELECT ... FROM %s WHERE email = ?\", table)\nerr := p.db.Query(query, email).Scan(...)\n```\n\nFixed in https://github.com/authorizerdev/authorizer/pull/500 (merged 2026-03-27).",
"id": "GHSA-jfwg-rxf3-p7r9",
"modified": "2026-04-06T17:56:31Z",
"published": "2026-04-06T17:56:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authorizerdev/authorizer/security/advisories/GHSA-jfwg-rxf3-p7r9"
},
{
"type": "WEB",
"url": "https://github.com/authorizerdev/authorizer/pull/500"
},
{
"type": "WEB",
"url": "https://github.com/authorizerdev/authorizer/commit/73679faa53cd215c7524d651046e402c43809786"
},
{
"type": "PACKAGE",
"url": "https://github.com/authorizerdev/authorizer"
},
{
"type": "WEB",
"url": "https://github.com/authorizerdev/authorizer/releases/tag/2.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.