External risk intelligence

Saltcorn database builder allows attackers to steal or change your data.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-41478

An internal attacker can exploit a flaw in Saltcorn's synchronization feature to compromise the database. This could allow them to steal administrative credentials, modify proprietary business data, or destroy critical records.

3Halo Surface Signal

SQL Injection

Saltcorn

before 1.4.61.5.0 to before 1.5.61.6.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-41478

The vulnerability resides in mobile-sync routes within a web-based database builder. While the application can be deployed as an internet-facing service, the specific attack vector requires an authenticated user session with table access. This authentication requirement reduces the likelihood of direct public internet exposure compared to unauthenticated edge services.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A SQL injection vulnerability in Saltcorn allows authenticated users to execute arbitrary SQL commands. This could lead to the theft of sensitive data, including administrator passwords and configuration secrets, and potentially allow modification or deletion of the database.

  • Sensitive data exfiltration is possible.
  • Database modification or destruction may occur.
  • Affects Saltcorn's no-code builder.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this SQL injection flaw by leveraging an existing low-privilege account. By manipulating sync parameters, they could exfiltrate sensitive database information, including credentials and secrets, or even alter and destroy data. This impacts any user with read access to at least one table.

  • Requires low-privilege authentication.
  • Targets mobile-sync routes.
  • Exfiltrates or modifies database.

Live Threat

Current exploitation, exposure, and threat context

This SQL injection vulnerability in Saltcorn affects all versions prior to specific patch releases, allowing authenticated low-privilege users to access and potentially modify the entire database. Attackers are drawn to this type of vulnerability because it offers direct access to sensitive data, including credentials and configuration secrets, and can lead to complete data compromise. The ability to exfiltrate or alter data from a database is a common and valuable objective for threat actors.

  • Exploitable by authenticated users.
  • Enables full database compromise.
  • Fixes available in patch releases.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Saltcorn to versions 1.4.6, 1.5.6, or 1.6.0-beta.5 to address the critical SQL injection vulnerability. If immediate patching is not feasible, isolate affected services to prevent unauthorized database access and exfiltration by authenticated users. Monitor logs for unusual sync activity or unauthorized data access attempts.

  • Update Saltcorn to a fixed version.
  • Isolate vulnerable services if patching is delayed.
  • Monitor for suspicious sync activity.

Frequently asked questions

What is Saltcorn and what is it used for?

Saltcorn is an open-source, no-code platform designed to help users build database-backed web applications without writing any code. It offers a user-friendly interface for creating data models, forms, and workflows, enabling the development of applications like CRMs, project management tools, and more.

What kind of vulnerability does CVE-2026-41478 represent?

CVE-2026-41478 is a SQL injection vulnerability, specifically classified as CWE-89. This type of weakness occurs when an application improperly handles user-supplied input, allowing it to be interpreted as SQL code rather than data, potentially leading to unauthorized access or modification of the database.

What are the preconditions for exploiting CVE-2026-41478?

To exploit this vulnerability, an attacker must already have a valid authenticated account with at least read access to one table within Saltcorn. The vulnerability is triggered through the application's mobile-sync routes by manipulating sync parameters.

Who should be concerned about CVE-2026-41478 based on Halo Surface Signal?

Organizations using Saltcorn should be concerned, particularly if their Saltcorn deployment is internet-facing. While an authenticated user is required, the ability to exfiltrate sensitive data makes this a relevant threat for any exposed instances.

What is the first step to address CVE-2026-41478?

The immediate first step is to update Saltcorn to a patched version. Specifically, versions 1.4.6, 1.5.6, or 1.6.0-beta.5 and later contain the fix for this vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified