Overview
CVE-2026-41422 describes an injection vulnerability in a GraphQL/JSON-API headless CMS where an endpoint accepted column and group parameters and passed them directly to a raw SQL literal builder. This allowed an authenticated user with a valid session to inject arbitrary SQL expressions because the inputs were not validated or parameterized. The issue was mitigated by patching the code to validate inputs and to constrain what could be sent to the SQL builder, effectively neutralizing the possibility of injecting SQL via dynamic identifiers. In Node.js/Express contexts, a similar vulnerability arises when developers interpolate user-supplied values directly into SQL strings or into SQL identifiers (table/column names) without any whitelisting or parameterization. This class of vulnerability can enable data exfiltration, modification, or even destruction if attackers craft payloads that alter queries or access restricted data. The Daptin CVE demonstrates the severity of unvalidated dynamic SQL paths, and the Node.js/Express remediation pattern mirrors its mitigation by enforcing strict input validation and safe query construction. In practice, you should treat any endpoint that uses user input to influence SQL as a potential risk and apply defense-in-depth to reduce the blast radius of a successful exploit.
Affected Versions
Prior to 0.11.4 (Daptin)
Code Fix Example
Node.js (Express) API Security Remediation
/* Vulnerable pattern (UNSAFE) */
// Endpoint uses user-supplied identifiers directly in SQL
app.get('/aggregate/:typename', async (req, res) => {
const typename = req.params.typename; // table name from user input
const { column, group } = req.query; // identifiers from user input
// Unsafe: interpolates user input directly into SQL identifiers
const sql = `SELECT ${column}, COUNT(*) FROM ${typename} GROUP BY ${group};`;
try {
const { rows } = await pool.query(sql);
res.json(rows);
} catch (e) {
res.status(500).send('DB error');
}
});
/* Safe pattern (SAFE) */
const allowedTypes = new Set(['orders','users','products']);
const allowedColumns = new Set(['id','name','created_at']);
const allowedGroups = new Set(['id','name','created_at']);
app.get('/aggregate/:typename', async (req, res) => {
const typename = req.params.typename;
const { column, group } = req.query;
// Validate that the identifier names come from an allowlist
if (!allowedTypes.has(typename)) {
return res.status(400).send('Invalid type');
}
if (!allowedColumns.has(column) || !allowedGroups.has(group)) {
return res.status(400).send('Invalid parameters');
}
// Safe: identifiers are whitelisted; values (if any) can be parameterized
const sql = `SELECT ${column}, COUNT(*) FROM ${typename} GROUP BY ${group};`;
try {
const { rows } = await pool.query(sql);
res.json(rows);
} catch (e) {
res.status(500).send('DB error');
}
});