CVE-2026-40887
Published: 21 April 2026
Description
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a…
more
raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. Versions 2.3.4, 3.5.7, and 3.6.2 contain a patch. For those who are unable to upgrade immediately, Vendure has made a hotfix available that uses `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query. The hotfix replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the user-controlled languageCode parameter to prevent its unsafe interpolation into raw SQL expressions, as implemented in the provided hotfix.
Mandates identification, reporting, and correction of the SQL injection flaw through patching to parameterized queries, aligning with the official remediation in fixed versions.
Enforces restrictions on information inputs like languageCode to limit them to valid values, blocking injection payloads before they reach SQL queries.
Security SummaryAI
CVE-2026-40887 is an unauthenticated SQL injection vulnerability in the Vendure Shop API, an open-source headless commerce platform. The issue arises from a user-controlled query string parameter, specifically the languageCode, being directly interpolated into a raw SQL expression without parameterization or validation. This affects Vendure versions starting from 1.7.4 and prior to 2.3.4, 3.5.7, and 3.6.2, impacting all supported database backends including PostgreSQL, MySQL/MariaDB, and SQLite. The Admin API is also vulnerable to SQL injection, but exploitation there requires authentication. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and is associated with CWE-89.
Unauthenticated remote attackers can exploit the Shop API by supplying malicious payloads in the languageCode parameter, enabling arbitrary SQL execution against the backend database. This allows attackers to extract sensitive data (high confidentiality impact), potentially cause denial of service through data corruption or excessive resource consumption (high availability impact), though no direct integrity modification is scored. For the Admin API, authenticated users with sufficient privileges could achieve similar outcomes.
The official advisory recommends upgrading to Vendure versions 2.3.4, 3.5.7, or 3.6.2, which fix the issue by converting the vulnerable SQL interpolation to a parameterized query for defense in depth. For those unable to upgrade immediately, a hotfix is available that modifies the RequestContextService.getLanguageCode method in packages/core/src/service/helpers/request-context/request-context.service.ts to validate the languageCode input at the API boundary, silently dropping invalid values and falling back to the channel's default language. Details are available in the GitHub Security Advisory at https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing Shop API enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary SQL execution for data extraction from databases (T1213.006).