Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-jfwg-rxf3-p7r9

Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation
Back to all
CVE

GHSA-jfwg-rxf3-p7r9

Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation

Vulnerability Details

CWE: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

All 66+ CQL queries in internal/storage/db/cassandradb/ use fmt.Sprintf to interpolate user-controlled values directly into CQL query strings without parameterization.

Unauthenticated endpoints (signuploginforgot_passwordmagiclinklogin) pass user input directly into CQL query strings.

Note: This advisory covers the Cassandra CQL injection only. The Couchbase N1QL injection is tracked in a separate advisory per CVE rule 4.2.11.

Affected Code Pattern

// Before (VULNERABLE) - e.g. cassandradb/user.go
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = '%s'", table, email)
err := p.db.Query(query).Scan(...)

Steps to Reproduce

  1. Deploy Authorizer <= 2.0.0 with Cassandra backend
  2. Send a signup request with a CQL injection payload in the email field:
curl -X POST http://localhost:8080/graphql \
  -H 'Content-Type: application/json' \
  -d '{"query":"mutation { signup(params: { email: \"test'\" }) { message } }"}'
  1. The single quote breaks out of the CQL string literal, causing a CQL parse error that leaks internal schema information
  2. Crafted payloads can manipulate query logic to bypass authentication or extract data

Affected Files (10 Cassandra files)

| Package | File | Queries Fixed |

|---------|------|--------------|

| cassandradb | user.go | 7 |

| cassandradb | otp.go | 4 |

| cassandradb | session_token.go | 19 |

| cassandradb | verification_requests.go | 4 |

| cassandradb | authenticator.go | 3 |

| cassandradb | email_template.go | 5 |

| cassandradb | webhook.go | 5 |

| cassandradb | webhook_log.go | 2 |

| cassandradb | session.go | 1 |

| cassandradb | env.go | 2 |

Impact

An unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgotpassword, magiclink_login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.

Proposed Fix

Use parameterized queries:

// After (FIXED)
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = ?", table)
err := p.db.Query(query, email).Scan(...)

Fixed in https://github.com/authorizerdev/authorizer/pull/500 (merged 2026-03-27).

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
C
H
U
-

Related Resources

No items found.

References

https://github.com/authorizerdev/authorizer/security/advisories/GHSA-jfwg-rxf3-p7r9, https://github.com/authorizerdev/authorizer/pull/500, https://github.com/authorizerdev/authorizer/commit/73679faa53cd215c7524d651046e402c43809786, https://github.com/authorizerdev/authorizer, https://github.com/authorizerdev/authorizer/releases/tag/2.0.1

Severity

7.3

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.3
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
0.0.0-20260327055742-73679faa53cd

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading