CVE-2026-41490 - Vulnerability Analysis
HighCVSS: 8.3Last Updated: May 7, 2026
Dagster - SQL Injection
Published: May 7, 2026Updated: May 7, 2026Remote Exploitable
Overview
Dagster Core < 1.13.1 and Dagster libraries < 0.29.1 contain a SQL injection caused by unescaped dynamic partition key values in SQL WHERE clauses in DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers, letting users with Add Dynamic Partitions permission execute arbitrary SQL under I/O manager credentials, exploit requires use of dynamic partitions.
Severity & Score
Severity: High
CVSS Score: 8.3
Impact
Users with Add Dynamic Partitions permission can execute arbitrary SQL on target databases, potentially compromising data integrity and confidentiality.
Mitigation
Upgrade Dagster Core to version 1.13.1 and Dagster libraries to version 0.29.1 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-41490
- Severity
- High
- CVSS Score
- 8.3
- Type
- sql_injection
- Status
- unconfirmed
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L