CVE-2026-42550 Overview
CVE-2026-42550 is a SQL injection vulnerability in Flight, an extensible micro-framework for PHP. The flaw resides in the SimplePdo helper class, specifically in the insert(), update(), and delete() methods. These functions build SQL statements by concatenating the $table argument and the keys of the $data array directly into queries without identifier quoting or validation. Applications that forward user-controlled data shapes to these helpers — a documented usage pattern — allow attackers to inject arbitrary SQL through crafted array keys. The vulnerability affects all versions prior to 3.18.1 and is tracked under [CWE-89].
Critical Impact
Authenticated attackers can execute arbitrary SQL statements against the application database, leading to data theft, modification, or destruction.
Affected Products
- Flight PHP framework (flightphp/core) versions prior to 3.18.1
- Applications using SimplePdo::insert() with user-controlled array keys
- Applications using SimplePdo::update() or SimplePdo::delete() with unsanitized input
Discovery Timeline
- 2026-05-13 - CVE-2026-42550 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42550
Vulnerability Analysis
The vulnerability stems from unsafe SQL string construction in the SimplePdo class shipped with the Flight PHP framework. The helper methods insert(), update(), and delete() accept a table name and an associative data array. Instead of binding column identifiers safely or validating them against an allowlist, the implementation concatenates the table name and array keys directly into the resulting SQL statement. The values are bound as parameters, but the column identifiers are not. This creates an injection sink wherever an application forwards request data to these helpers.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89] applied to identifier components rather than value components. PDO parameter binding protects value placeholders, but it does not protect column or table identifiers. Because SimplePdo builds the column list from array_keys($data) without quoting or whitelisting, any attacker-controlled key becomes part of the executed SQL.
Attack Vector
A common documented usage pattern is $db->insert('users', $request->data->getData()), where the request payload determines both column names and values. An attacker submits a request body containing crafted keys such as name) VALUES ('x'); DROP TABLE users;-- to break out of the intended column list. The injected fragment is concatenated into the final query and executed by the database engine. Exploitation requires only the ability to send requests that reach a vulnerable code path, which typically corresponds to low-privilege authenticated access in most application designs.
No public proof-of-concept code is referenced in the advisory. See the GitHub Security Advisory for additional technical context.
Detection Methods for CVE-2026-42550
Indicators of Compromise
- Database query logs containing unusual identifiers, SQL keywords, or comment markers (--, /*) inside column-name positions of INSERT, UPDATE, or DELETE statements.
- Web server access logs showing request payloads with JSON or form keys containing SQL syntax, parentheses, or semicolons.
- Unexpected schema modifications, dropped tables, or anomalous rows in tables written by SimplePdo helpers.
Detection Strategies
- Audit application code for calls to SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() where the $data argument originates from request input.
- Enable PDO query logging and review generated statements for malformed column identifiers.
- Deploy web application firewall rules that inspect request parameter names — not just values — for SQL metacharacters.
Monitoring Recommendations
- Monitor PHP application logs for PDO exceptions or syntax errors indicating failed injection attempts.
- Alert on outbound database errors correlated with specific endpoints that consume user-supplied arrays.
- Track Composer dependency inventories to identify hosts still running flightphp/core below version 3.18.1.
How to Mitigate CVE-2026-42550
Immediate Actions Required
- Upgrade flightphp/core to version 3.18.1 or later using Composer.
- Audit every call site of SimplePdo::insert(), update(), and delete() for direct forwarding of request data.
- Replace dynamic array forwarding with an explicit allowlist of column names mapped from request fields.
Patch Information
The vulnerability is fixed in flightphp/core version 3.18.1. The upstream fix is described in the GitHub Security Advisory GHSA-xwqr-rcqg-22mr. Apply the update through composer update flightphp/core and redeploy affected applications.
Workarounds
- Validate array keys against a strict allowlist before passing data to SimplePdo helpers.
- Wrap insert(), update(), and delete() calls in a sanitization layer that rejects keys not matching ^[A-Za-z_][A-Za-z0-9_]*$.
- Restrict database account privileges so application users cannot execute DROP, ALTER, or cross-table operations.
# Upgrade Flight to the patched release
composer require flightphp/core:^3.18.1
composer update flightphp/core
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
