CVE-2026-40887 is a critical SQL injection vulnerability in the Vendure headless commerce platform affecting versions >=1.7.4 and <2.3.4, >=3.0.0 and <3.5.7, and >=3.6.0 and <3.6.2. The vulnerability arises from direct interpolation of a user-controlled query string parameter into raw SQL without parameterization or validation, impacting all supported databases (PostgreSQL, MySQL/MariaDB, SQLite). The Shop API is vulnerable to unauthenticated exploitation, while the Admin API requires authentication. Vendure patched this issue in versions 2.3.4, 3.5.7, and 3.6.2 by converting the vulnerable SQL interpolation to parameterized queries and providing a hotfix that validates the languageCode input to prevent injection payloads.

An attacker can exploit this vulnerability to execute arbitrary SQL commands on the backend database without authentication via the Shop API, potentially leading to data exposure and denial of service. The Admin API is also vulnerable but requires authentication to exploit. The vulnerability affects all supported database backends. The CVSS score of 9.1 indicates a critical severity with network attack vector, no privileges required, and high impact on confidentiality and availability.

Vendure has released official patches in versions 2.3.4, 3.5.7, and 3.6.2 that fix this vulnerability by parameterizing SQL queries and validating inputs. Users should upgrade to one of these patched versions to fully remediate the issue. For those unable to upgrade immediately, Vendure provides a hotfix that replaces the getLanguageCode method to validate and sanitize the languageCode input, blocking injection payloads before they reach the database. Applying this hotfix is recommended as a temporary mitigation until upgrading is possible.