PyPI: ckan

CVE-2026-42032

Safety vulnerability ID: SFTY-20260430-00489

Safety legacy ID: pyup.io-95374

Affected versions of the CKAN package are vulnerable to Authorization Bypass due to insufficient authorization enforcement in the DataStore SQL search action function. The flaw resides in the datastore_search_sql action, whose protections do not adequately restrict access, allowing requests to bypass authorization checks against the underlying PostgreSQL backend. An unauthenticated attacker can leverage this weakness to gain access to private resources and PostgreSQL system information that should otherwise be restricted.

PythonPyPINVDNVDGitHubGHSA
Created at: May 15, 2026Updated at: May 15, 2026

Overview

CKAN has Unauthenticated Authorization Bypass in `datastore_search_sql`

Advisory

Affected versions of the CKAN package are vulnerable to Authorization Bypass due to insufficient authorization enforcement in the DataStore SQL search action function. The flaw resides in the datastore_search_sql action, whose protections do not adequately restrict access, allowing requests to bypass authorization checks against the underlying PostgreSQL backend. An unauthenticated attacker can leverage this weakness to gain access to private resources and PostgreSQL system information that should otherwise be restricted.

Affected Package

Affecting ckan package, versions
<2.10.10
>=2.11.0,<=2.11.4

Also affects

---

How to Fix

Upgrade
ckan
to
2.10.10
2.11.5
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more