Skip to content

[Security] Arbitrary SQL execution via sqlRequest command #47

New issue
New issue
Open
Open
[Security] Arbitrary SQL execution via sqlRequest command#47
@coderabbitai

Description

@coderabbitai
coderabbitai
bot
opened on Feb 28, 2026

Summary

The sqlRequest command allows arbitrary SQL execution with only a single shared password.

Affected Code

  • server-services/start-services.js Lines 338-390

Vulnerability

Any client with the sqlPassword can run arbitrary SQL.

Impact

  • Full database read/write/delete access

Recommended Fix

  1. Disable by default; require explicit LS_ENABLE_SQL_API=true env flag
  2. Require verified auth_key in addition to sqlPassword
  3. IP allowlist or mTLS
  4. Audit logging

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions