CVE-2026-33468 Overview
CVE-2026-33468 is a SQL injection vulnerability in Kysely, a type-safe TypeScript SQL query builder. The vulnerability exists in versions prior to 0.28.14 due to improper handling of backslash escaping in the DefaultQueryCompiler.sanitizeStringLiteral() function. While the function correctly escapes single quotes by doubling them (' → ''), it fails to escape backslashes, which can be exploited when using the MySQL dialect where NO_BACKSLASH_ESCAPES is OFF by default.
Critical Impact
An attacker can leverage unescaped backslashes to break out of string literal contexts and inject arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, or complete database compromise.
Affected Products
- Kysely versions prior to 0.28.14
- Applications using Kysely with MySQL dialect
- Code paths utilizing ImmediateValueTransformer for inline values (specifically CreateIndexBuilder.where() and CreateViewBuilder.as())
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33468 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33468
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) stems from incomplete input sanitization in Kysely's query compilation process. The DefaultQueryCompiler.sanitizeStringLiteral() function is responsible for safely encoding string literals before they are incorporated into SQL queries. However, the implementation only addresses single quote characters, leaving backslash characters unescaped.
In MySQL's default configuration (with NO_BACKSLASH_ESCAPES disabled), backslashes function as escape characters. An attacker can craft a malicious input containing a backslash that escapes the trailing quote of a string literal, effectively breaking out of the intended string context. This allows the injection of arbitrary SQL commands that will be executed by the database.
The vulnerability specifically affects code paths that use ImmediateValueTransformer to inline values directly into queries. The affected methods include CreateIndexBuilder.where() for conditional index creation and CreateViewBuilder.as() for view definitions. These methods process user-controllable input that, when improperly sanitized, becomes a vector for SQL injection attacks.
Root Cause
The root cause is the incomplete implementation of string literal sanitization in DefaultQueryCompiler.sanitizeStringLiteral(). The function fails to account for MySQL's default behavior where backslashes serve as escape characters. By only escaping single quotes (' → '') without also escaping backslashes (\ → \\), the sanitization can be bypassed through carefully crafted input strings containing backslash characters positioned to neutralize the trailing quote delimiter.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by providing malicious input to application endpoints that eventually pass data through the affected Kysely methods. The attacker crafts a payload containing a backslash character followed by SQL commands. When the improperly sanitized string is incorporated into the query, the backslash escapes the closing quote, and the subsequent malicious SQL is executed as part of the query.
For example, an input string ending with a backslash followed by injected SQL would cause the trailing single quote in the query template to be interpreted as a literal character rather than a string delimiter, allowing the attacker's SQL to execute in the query context.
Detection Methods for CVE-2026-33468
Indicators of Compromise
- Unusual database query patterns containing backslash characters followed by SQL keywords
- Database error logs showing malformed or unexpected SQL syntax errors
- Evidence of data exfiltration or unauthorized database modifications
- Application logs showing requests with suspicious input patterns targeting index or view creation endpoints
Detection Strategies
- Implement database query logging and monitor for anomalous query structures, particularly those involving CREATE INDEX or CREATE VIEW statements with unusual string patterns
- Deploy Web Application Firewall (WAF) rules to detect SQL injection payloads containing backslash escape sequences
- Use Static Application Security Testing (SAST) tools to identify usage of affected Kysely methods with untrusted input
- Review application dependencies to identify installations of Kysely versions prior to 0.28.14
Monitoring Recommendations
- Enable verbose logging on MySQL databases to capture and analyze all executed queries
- Monitor for failed SQL query attempts that may indicate exploitation attempts
- Set up alerts for unexpected changes to database indexes or views
- Implement runtime application self-protection (RASP) to detect SQL injection attempts at the application layer
How to Mitigate CVE-2026-33468
Immediate Actions Required
- Upgrade Kysely to version 0.28.14 or later immediately
- Audit codebase for usage of CreateIndexBuilder.where() and CreateViewBuilder.as() methods with user-controlled input
- Implement input validation at the application layer as a defense-in-depth measure
- Consider enabling NO_BACKSLASH_ESCAPES SQL mode on MySQL databases as a temporary mitigation
Patch Information
Version 0.28.14 of Kysely contains the fix for this vulnerability. The patch addresses the incomplete string literal sanitization by properly escaping backslash characters in addition to single quotes when compiling queries for MySQL. Organizations should update their package dependencies to this version or later. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Enable NO_BACKSLASH_ESCAPES SQL mode on the MySQL server to prevent backslash interpretation as escape characters
- Avoid using CreateIndexBuilder.where() and CreateViewBuilder.as() with any user-controllable input until the patch is applied
- Implement strict input validation and sanitization at the application boundary before data reaches Kysely
- Use parameterized queries where possible instead of methods that inline values directly
# Enable NO_BACKSLASH_ESCAPES mode in MySQL as temporary mitigation
mysql -u admin -p -e "SET GLOBAL sql_mode = CONCAT(@@sql_mode, ',NO_BACKSLASH_ESCAPES');"
# Verify the setting is active
mysql -u admin -p -e "SELECT @@sql_mode;"
# Update Kysely to patched version
npm update kysely@0.28.14
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
