Vulnerability Report

CVE-2026-41490

Title: SQL Injection in I/O Managers

SQLi

Proof Of Concept

PoC Available for CVE-2026-41490

CWE Category CWE-89
Published Date May 07, 2026
Modified Date May 07, 2026
Exploit Status Available
Score 8.3 CVSS v3.1
Exploit Probability (EPSS)
0.26%

Vulnerability Summary

CVE-2026-41490: Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute against the target database backend under the I/O manager's credentials. Only deployments that use dynamic partitions are affected. Pipelines using static or time-window partitions are not impacted. This issue has been patched in Dagster Core version 1.13.1 and Dagster libraries version 0.29.1.

Impacted Vendors

Analysis in Progress...

Reference Links

https://github.com/dagster-io/dagster/releases/tag/1.13.1 https://github.com/dagster-io/dagster/security/advisories/GHSA-mjw2-v2hm-wj34
CVSS v3.1
Source Entity [email protected]
Severity HIGH
8.3
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-41490 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/romain-deperne/CVE-2026-41490
View Code
MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK
Complexity LOW
Privileges N/A
Interaction NONE
CVSS Vector String CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Affected Stack

No specific products linked.