GHSA-RW2C-8RFQ-GWFV
Vulnerability from github – Published: 2026-04-22 17:38 – Updated: 2026-04-22 17:38Summary
The /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions.
Impact
An authenticated low-privilege user could:
- Extract data from any table via subquery: (SELECT group_concat(email) FROM user_account) as leak
- Disclose database internals: sqlite_version(), (SELECT sql FROM sqlite_master)
- Exfiltrate cross-table data via correlated subqueries
The vulnerability was confirmed locally; user_account.email values were extracted via a crafted column parameter by a non-admin user.
Root Cause
goqu.L(userInput) in server/resource/resource_aggregate.go inserted user-supplied query parameters directly into the SQL string with no validation.
Fix (v0.11.4)
All goqu.L() calls on user-controlled input were eliminated and replaced with:
- Structural expression parsing supporting all documented API forms
- Schema-based column validation (column names checked against entity schema via TableInfo().GetColumnByName())
- Exact-match allowlist for aggregate functions (count, sum, avg, min, max, first, last) and scalar functions (date, strftime, upper, lower, etc.)
- Safe goqu constructors (goqu.I(), goqu.SUM(), goqu.Func()) for all generated expressions
- allowedTables scope enforcement: qualified column refs (table.col) validated against root entity + explicitly joined tables only
Two additional DoS bugs were fixed in the same commit: uuid.MustParse panic on malformed UUID input and an index-out-of-range panic in ToOrderedExpressionArray on empty sort expressions.
Credits
Reported by @VashuVats.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/daptin/daptin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41422"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T17:38:02Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe `/aggregate/:typename` endpoint accepted `column` and `group` query parameters that were passed verbatim to `goqu.L()` \u2014 a raw SQL literal expression builder \u2014 without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions.\n\n## Impact\n\nAn authenticated low-privilege user could:\n- Extract data from any table via subquery: `(SELECT group_concat(email) FROM user_account) as leak`\n- Disclose database internals: `sqlite_version()`, `(SELECT sql FROM sqlite_master)`\n- Exfiltrate cross-table data via correlated subqueries\n\nThe vulnerability was confirmed locally; `user_account.email` values were extracted via a crafted `column` parameter by a non-admin user.\n\n## Root Cause\n\n`goqu.L(userInput)` in `server/resource/resource_aggregate.go` inserted user-supplied query parameters directly into the SQL string with no validation.\n\n## Fix (v0.11.4)\n\nAll `goqu.L()` calls on user-controlled input were eliminated and replaced with:\n- Structural expression parsing supporting all documented API forms\n- Schema-based column validation (column names checked against entity schema via `TableInfo().GetColumnByName()`)\n- Exact-match allowlist for aggregate functions (`count`, `sum`, `avg`, `min`, `max`, `first`, `last`) and scalar functions (`date`, `strftime`, `upper`, `lower`, etc.)\n- Safe goqu constructors (`goqu.I()`, `goqu.SUM()`, `goqu.Func()`) for all generated expressions\n- `allowedTables` scope enforcement: qualified column refs (`table.col`) validated against root entity + explicitly joined tables only\n\nTwo additional DoS bugs were fixed in the same commit: `uuid.MustParse` panic on malformed UUID input and an index-out-of-range panic in `ToOrderedExpressionArray` on empty sort expressions.\n\n## Credits\n\nReported by @VashuVats.",
"id": "GHSA-rw2c-8rfq-gwfv",
"modified": "2026-04-22T17:38:02Z",
"published": "2026-04-22T17:38:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv"
},
{
"type": "PACKAGE",
"url": "https://github.com/daptin/daptin"
},
{
"type": "WEB",
"url": "https://github.com/daptin/daptin/releases/tag/v0.11.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Daptin: SQL injection via unvalidated goqu.L() calls in aggregate API"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.