CVE-2026-40887 is a critical SQL injection vulnerability (CWE-89) in the Vendure headless commerce platform affecting versions >=1.7.4 and prior to 2.3.4, 3.5.7, and 3.6.2. The vulnerability arises from direct interpolation of a user-controlled query string parameter into raw SQL expressions without parameterization or validation, allowing unauthenticated attackers to execute arbitrary SQL commands against the database via the Shop API. The Admin API is also affected but requires authentication for exploitation. The vulnerability impacts all supported database backends. Vendure patched this by introducing parameterized queries and input validation in the specified versions. Additionally, a hotfix is provided that validates the languageCode input at the boundary using RequestContextService.getLanguageCode, dropping invalid inputs silently and defaulting to the channel's language to block injection payloads.

Successful exploitation allows unauthenticated attackers to execute arbitrary SQL commands on the database via the Shop API, potentially leading to data exposure and denial of service. The Admin API is also vulnerable but requires authentication. The vulnerability affects all supported database backends, increasing the risk across deployments. The CVSS 3.1 score is 9.1 (critical), reflecting high impact on confidentiality and availability without requiring privileges or user interaction.

Fixed versions 2.3.4, 3.5.7, and 3.6.2 contain official patches that convert vulnerable SQL interpolation to parameterized queries and validate inputs to prevent injection. Users are strongly advised to upgrade to these versions. For those unable to upgrade immediately, Vendure provides a hotfix that validates the languageCode input at the boundary, dropping invalid values silently and using the channel's default language instead, effectively blocking injection payloads before they reach the query. Applying this hotfix mitigates the vulnerability until an upgrade is possible.