External risk intelligence

Datadog Vector SQL Injection Vulnerability Allows Database Access.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-39196

A SQL injection vulnerability in Datadog Vector could allow attackers to access sensitive database information via crafted SQL statements. This affects the `KeyPartitioner::partition` function. Attackers can exploit this vulnerability remotely without authentication, potentially leading to unauthorized data exposure.

3Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-39196

Vector is a data observability pipeline typically deployed within internal networks. While it processes data from many sources, it is not usually exposed directly to the public internet by design. Public reachability is possible depending on specific architectural choices, but it is not a common default deployment pattern for this type of service.

PCI scan relevance

PCI Relevance for CVE-2026-39196

Yes

CVE-2026-39196 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for SQL injection, which can lead to unauthorized access to sensitive database information. Its critical severity makes it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A SQL injection vulnerability has been identified in the Datadog Vector data pipeline technology, potentially allowing unauthorized access to sensitive database information. The main concern at this time is confirming if Vector is in use and, if so, understanding its specific deployment to assess potential exposure.

Database access risk via code.
Confirms if Vector is used internally.
Assess specific Vector deployment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted SQL statements over the network to the vulnerable component. This allows them to access and potentially modify sensitive data stored in the database.

No authentication required.
Malicious SQL statements trigger it.
Exposes sensitive database information.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to access sensitive database information by sending specially crafted SQL statements through the `set_uri_query` parameter in the `KeyPartitioner::partition` function. This could lead to unauthorized exposure of data stored in the database.

Database information and sensitive data at risk.
Crafted SQL statements via `set_uri_query`.
Unauthorized access to sensitive data.

Operational Fix

Recommended remediation, mitigation, and detection steps

Datadog Vector instances require immediate attention, as a critical SQL injection vulnerability allows unauthenticated attackers to access sensitive database information. Platform or infrastructure teams responsible for Datadog Vector deployments should lead the initial triage. The first practical step involves identifying all Vector instances, assessing their external reachability and criticality, and then determining the accountable owner for remediation planning.

Platform or infrastructure teams should own.
Verify Vector instance reachability and criticality.
Plan remediation based on identified exposure.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Datadog Vector?

Datadog Vector is a high-performance observability data pipeline. It is designed to collect, transform, and route logs, metrics, and traces across complex infrastructure. Engineers use it to centralize and process vast amounts of telemetry data before delivering it to various storage or analysis platforms.

What does SQL injection mean for CVE-2026-39196?

This CVE involves a vulnerability class known as CWE-89, or improper neutralization of special elements used in an SQL command. In plain English, the software fails to properly filter input, allowing an attacker to inject their own malicious database commands. Because the system executes these unauthorized instructions, an attacker can manipulate or extract sensitive information stored in the connected database.

How can an attacker trigger this vulnerability?

An attacker triggers this flaw by sending crafted SQL statements to the vulnerable KeyPartitioner::partition function via the set_uri_query parameter. Crucially, the vulnerability does not require authentication to trigger. It cannot be activated by normal observability traffic that lacks these specific, malicious SQL-formatted commands.

Is my Vector instance at risk if it is internal?

Halo Surface Signal notes that Vector is typically deployed within internal networks rather than exposed to the public internet. However, risk remains if your specific network architecture allows external reachability to the service. You should determine if your deployment is accessible from outside your trusted network, as internet-facing instances carry a higher potential for unauthorized access.

What should I do if I run Datadog Vector?

Start by identifying every instance of Vector running in your environment to build an accurate inventory. Once identified, evaluate the reachability and criticality of each deployment to understand your specific risk. Determine the accountable infrastructure team for these instances so they can prioritize remediation planning and monitor for updates.

References

gist.github.com/pyuysig/423b15c69e3cd851c1e24c1312a0551a

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.