Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-41490

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-07 May, 2026 | 13:15
Updated At-07 May, 2026 | 14:57
Rejected At-
Credits

Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations

Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute against the target database backend under the I/O manager's credentials. Only deployments that use dynamic partitions are affected. Pipelines using static or time-window partitions are not impacted. This issue has been patched in Dagster Core version 1.13.1 and Dagster libraries version 0.29.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:07 May, 2026 | 13:15
Updated At:07 May, 2026 | 14:57
Rejected At:
▼CVE Numbering Authority (CNA)
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations

Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute against the target database backend under the I/O manager's credentials. Only deployments that use dynamic partitions are affected. Pipelines using static or time-window partitions are not impacted. This issue has been patched in Dagster Core version 1.13.1 and Dagster libraries version 0.29.1.

Affected Products
Vendor
dagster-io
Product
dagster
Versions
Affected
  • dagster < 1.13.1
  • dagster-duckdb < 0.29.1
  • dagster-snowflake < 0.29.1
  • dagster-gcp < 0.29.1
  • dagster-deltalake < 0.29.1
  • dagster-snowflake-polars < 0.29.1
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/dagster-io/dagster/security/advisories/GHSA-mjw2-v2hm-wj34
x_refsource_CONFIRM
https://github.com/dagster-io/dagster/releases/tag/1.13.1
x_refsource_MISC
Hyperlink: https://github.com/dagster-io/dagster/security/advisories/GHSA-mjw2-v2hm-wj34
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/dagster-io/dagster/releases/tag/1.13.1
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:07 May, 2026 | 14:16
Updated At:07 May, 2026 | 14:16

Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute against the target database backend under the I/O manager's credentials. Only deployments that use dynamic partitions are affected. Pipelines using static or time-window partitions are not impacted. This issue has been patched in Dagster Core version 1.13.1 and Dagster libraries version 0.29.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Type: Secondary
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-89Primarysecurity-advisories@github.com
CWE ID: CWE-89
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/dagster-io/dagster/releases/tag/1.13.1security-advisories@github.com
N/A
https://github.com/dagster-io/dagster/security/advisories/GHSA-mjw2-v2hm-wj34security-advisories@github.com
N/A
Hyperlink: https://github.com/dagster-io/dagster/releases/tag/1.13.1
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/dagster-io/dagster/security/advisories/GHSA-mjw2-v2hm-wj34
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

56Records found
CVE-2024-36034
Matching Score-4
Assigner-ManageEngine
ShareView Details
Matching Score-4
Assigner-ManageEngine
CVSS Score-8.3||HIGH
EPSS-1.22% / 79.27%
||
7 Day CHG~0.00%
Published-12 Aug, 2024 | 07:23
Updated-16 Aug, 2024 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)Zoho Corporation Pvt. Ltd.
Product-manageengine_adaudit_plusADAudit Plusadaudit_plus
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-33404
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.3||HIGH
EPSS-0.11% / 28.95%
||
7 Day CHG~0.00%
Published-06 May, 2024 | 00:00
Updated-25 Mar, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability in /model/add_student_first_payment.php in campcodes Complete Web-Based School Management System 1.0 allows attacker to execute arbitrary SQL commands via the index parameter.

Action-Not Available
Vendor-n/aschool_management_system_projectCampCodes
Product-complete_web-based_school_management_systemn/aschool_management_system
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-24100
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.3||HIGH
EPSS-0.07% / 20.55%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 00:00
Updated-25 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection via PublisherID.

Action-Not Available
Vendor-n/aSource Code & Projects
Product-computer_book_storen/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-21775
Matching Score-4
Assigner-ManageEngine
ShareView Details
Matching Score-4
Assigner-ManageEngine
CVSS Score-8.3||HIGH
EPSS-0.73% / 72.86%
||
7 Day CHG~0.00%
Published-16 Feb, 2024 | 14:35
Updated-26 Nov, 2024 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection

Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)Zoho Corporation Pvt. Ltd.
Product-manageengine_exchange_reporter_plusExchange Reporter Plusexchange_reporter_plus
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-41403
Matching Score-4
Assigner-ManageEngine
ShareView Details
Matching Score-4
Assigner-ManageEngine
CVSS Score-8.3||HIGH
EPSS-3.94% / 88.48%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 10:39
Updated-16 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection while fetching service account audit data.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)Zoho Corporation Pvt. Ltd.
Product-manageengine_adaudit_plusADAudit Plus
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-41407
Matching Score-4
Assigner-ManageEngine
ShareView Details
Matching Score-4
Assigner-ManageEngine
CVSS Score-8.3||HIGH
EPSS-1.86% / 83.31%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 10:29
Updated-16 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection in the OU History report.

Action-Not Available
Vendor-ManageEngine (Zoho Corporation Pvt. Ltd.)Zoho Corporation Pvt. Ltd.
Product-manageengine_adaudit_plusADAudit Plus
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • Next
Details not found