Listen to this Post
The vulnerability stems from the use of `fmt.Sprintf` to construct CQL (Cassandra Query Language) queries across all 66+ database functions in the `internal/storage/db/cassandradb/` package. User‑controlled inputs (email, phone, token, etc.) are directly interpolated into query strings without any parameterisation or sanitisation. Public, unauthenticated endpoints – including signup, login, forgot_password, and `magic_link_login` – pass user‑supplied data straight into these vulnerable query patterns. For example, a typical vulnerable query looks like:
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = '%s'", table, email)
err := p.db.Query(query).Scan(...)
An attacker can inject a single‑quote character followed by arbitrary CQL operators into the email field of a GraphQL request. The malformed input breaks out of the intended string literal, causing a CQL parse error that leaks internal schema information. With carefully crafted payloads, the attacker can alter query logic to bypass authentication, retrieve arbitrary data, or escalate privileges. The fix replaces all such interpolations with parameterised queries:
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = ?", table)
err := p.db.Query(query, email).Scan(...)
This pattern was applied to all 10 affected Cassandra files (totalling 66+ queries). The patch was merged in pull request 500 on 2026‑03‑27.
dailycve form: Platform: Authorizer Version: <=2.0.0 Vulnerability: CQL Injection Severity: High date: 2026‑03‑27 Prediction: 2026‑04‑10
What Undercode Say:
Analytics:
The vulnerability was introduced by string‑based query building. After the fix, parameterised queries are enforced across all Cassandra interactions.
Count vulnerable queries in the affected directory grep -r 'fmt.Sprintf.SELECT.FROM' internal/storage/db/cassandradb/ | wc -l Verify that no fmt.Sprintf remains in query construction after the patch grep -r 'fmt.Sprintf.SELECT.FROM' internal/storage/db/cassandradb/ || echo "Clean"
Exploit:
curl -X POST http://localhost:8080/graphql \
-H 'Content-Type: application/json' \
-d '{"query":"mutation { signup(params: { email: \"test'\''\" }) { message } }"}'
The injected single quote causes a CQL syntax error, revealing internal table and schema details. More advanced payloads can bypass authentication or exfiltrate data.
Protection from this CVE
- Upgrade to Authorizer version >2.0.0 (commit `73679faa53cd` or later).
- If immediate upgrade is impossible, enforce strict input validation (regex‑based email/phone sanitisation) as a temporary workaround.
- Use a Web Application Firewall (WAF) to block requests containing suspicious CQL keywords (e.g.,
DROP,INSERT,DELETE) in the email/phone fields. - Monitor Cassandra logs for unexpected CQL parse errors or malformed queries.
Impact
- Authentication Bypass: An unauthenticated attacker can log in as any user without credentials.
- Data Exfiltration: Full read access to the Cassandra keyspace, including user credentials, OTP secrets, and session tokens.
- Privilege Escalation: Modification of user roles or creation of new administrative accounts.
- Service Disruption: Crafted payloads can crash the Cassandra node or corrupt data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

