CVE-2026-30870 is a security vulnerability classified under CWE-285 (Improper Authorization) found in the PowerSync Service, a server-side component of the PowerSync sync engine, specifically in versions prior to 1.20.1. The issue occurs when using new sync streams configured with config.edition set to 3. In this configuration, certain subquery filters intended to restrict data synchronization are ignored if those subqueries do not partition the result set. This flaw allows authenticated users to synchronize data beyond their authorized scope, potentially exposing sensitive or restricted information. The vulnerability does not affect all sync queries but is limited to those gating synchronization via subqueries without result set partitioning. Exploitation requires the attacker to be authenticated but does not require user interaction, and the attack can be performed remotely over the network. The CVSS v3.1 base score is 6.5, reflecting a medium severity with high confidentiality impact, no integrity or availability impact, low attack complexity, and requiring privileges. The vulnerability was publicly disclosed on March 9, 2026, and fixed in version 1.20.1 of the PowerSync Service. No known exploits have been reported in the wild to date.

The primary impact of CVE-2026-30870 is unauthorized data exposure due to improper authorization checks in the synchronization process. Authenticated users with limited permissions may gain access to sensitive or restricted data that should not be synchronized to them. This can lead to confidentiality breaches, potentially exposing proprietary, personal, or regulated information depending on the data managed by the PowerSync Service. Since the vulnerability does not affect data integrity or availability, the risk is confined to unauthorized data disclosure. Organizations relying on PowerSync Service for data synchronization may face compliance violations, reputational damage, and increased risk of insider threats or lateral movement by malicious actors exploiting this flaw. The ease of exploitation (low complexity, no user interaction) and remote attack vector increase the risk profile, especially in environments with many authenticated users or where privilege separation is critical.

To mitigate CVE-2026-30870, organizations should immediately upgrade the PowerSync Service to version 1.20.1 or later, where the vulnerability is patched. In addition to patching, administrators should audit sync stream configurations, especially those using config.edition 3, to ensure that subquery filters are correctly applied and that synchronization queries partition result sets appropriately. Implement strict access controls and monitor synchronization logs for unusual data sync patterns that may indicate exploitation attempts. Employ network segmentation and limit access to the PowerSync Service to trusted users and systems only. Where possible, enforce the principle of least privilege for authenticated users to minimize potential data exposure. Finally, maintain an incident response plan to quickly address any suspected data leaks stemming from this vulnerability.