CVE-2026-30870 Overview
CVE-2026-30870 is an Authorization Bypass vulnerability affecting PowerSync Service, the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters are ignored when determining which data to sync to users. This flaw can result in authenticated users syncing data that should have been restricted based on the configured access controls.
Critical Impact
Authenticated users may gain unauthorized access to restricted data due to improper subquery filter enforcement in sync stream configurations.
Affected Products
- PowerSync Service version 1.20.0
- Sync streams configured with config.edition: 3
- Configurations using subquery filters without partitioned result sets
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30870 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30870
Vulnerability Analysis
This vulnerability is classified as CWE-285 (Improper Authorization), where the PowerSync Service fails to properly enforce access control restrictions under specific configurations. The issue specifically manifests when sync streams are configured with config.edition: 3 and utilize subquery filters to gate data synchronization.
Under normal operation, subquery filters should restrict which data records are synchronized to individual users based on authorization rules. However, in the vulnerable version, these subquery filters are silently ignored when they do not partition the result set. This means authenticated users can receive data they should not have access to, effectively bypassing the intended authorization model.
The vulnerability requires authentication, meaning an attacker must have valid credentials to the PowerSync service. However, once authenticated, they can potentially access data belonging to other users or data sets that should be restricted based on their authorization level.
Root Cause
The root cause lies in improper handling of subquery filters within the sync stream logic when config.edition: 3 is enabled. The filtering mechanism fails to apply authorization constraints for queries that gate synchronization using subqueries without partitioning the result set. This creates a scenario where the access control layer is effectively bypassed for affected query patterns.
Attack Vector
The attack is network-based and requires low complexity to exploit. An authenticated attacker can leverage this vulnerability by establishing a sync connection with the PowerSync Service and requesting data through the affected sync stream configurations. The attacker does not need any special privileges beyond standard user authentication, and no user interaction is required.
The vulnerability specifically affects configurations where:
- Sync streams use config.edition: 3
- Subquery filters are employed for access control
- The subquery does not partition the result set
Exploitation results in unauthorized data disclosure, potentially exposing sensitive information that should be restricted to specific users or roles.
Detection Methods for CVE-2026-30870
Indicators of Compromise
- Unusual sync activity patterns where users access data outside their normal scope
- Audit logs showing data synchronization requests for records users should not have access to
- Anomalous data transfer volumes during sync operations
- Users accessing data sets inconsistent with their assigned roles or permissions
Detection Strategies
- Review sync stream configurations for instances using config.edition: 3 with subquery filters
- Implement data access logging to track which records are synchronized to each user
- Compare synchronized data against expected access control policies
- Monitor for sync requests that return unexpectedly large result sets
Monitoring Recommendations
- Enable detailed logging for PowerSync Service sync operations
- Implement alerting for data access patterns that violate expected authorization boundaries
- Conduct periodic audits of sync stream configurations against security requirements
- Monitor for version 1.20.0 instances in your environment and flag for immediate patching
How to Mitigate CVE-2026-30870
Immediate Actions Required
- Upgrade PowerSync Service to version 1.20.1 or later immediately
- Review sync stream configurations using config.edition: 3 for affected subquery patterns
- Audit access logs to determine if unauthorized data synchronization has occurred
- Consider temporarily disabling affected sync streams until patching is complete
Patch Information
The vulnerability is fixed in PowerSync Service version 1.20.1. Organizations should upgrade immediately to ensure subquery filters are properly enforced. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Avoid using config.edition: 3 in sync stream configurations until upgrading to 1.20.1
- Refactor sync stream queries to use partitioned result sets where possible
- Implement additional application-layer authorization checks to validate data access
- Use row-level security at the database level as a defense-in-depth measure
# Verify PowerSync Service version
powersync-service --version
# Upgrade to patched version
npm update @powersync/service-core@1.20.1
# Review sync stream configurations for affected patterns
grep -r "edition.*3" /path/to/sync-config/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
