CVE-2026-4190 is a SQL injection vulnerability found in the JawherKl node-api-postgres package, specifically affecting versions 2.0 through 2.5. The vulnerability resides in the User.getAll function within the models/user.js file, where the 'sort' parameter is directly incorporated into SQL queries without proper sanitization or parameterization. This flaw allows an attacker to craft malicious input for the 'sort' argument, which is then executed by the PostgreSQL database, enabling arbitrary SQL commands to be run remotely. The vulnerability requires no authentication or user interaction, increasing its risk profile. The public availability of exploit code further heightens the threat. The vendor was contacted prior to public disclosure but did not respond or provide a patch, leaving users exposed. The CVSS 4.0 base score is 6.9 (medium severity) with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P, indicating network attack vector, low attack complexity, no privileges or user interaction required, and partial impact on confidentiality, integrity, and availability. This vulnerability can lead to unauthorized data disclosure, data modification, or deletion, potentially compromising the integrity and availability of backend databases. Given the widespread use of Node.js and PostgreSQL in web applications, this vulnerability poses a significant risk to affected deployments.

The SQL injection vulnerability in node-api-postgres can have severe consequences for organizations relying on this library. Attackers can remotely execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive user data, modification or deletion of database records, and disruption of application availability. This can result in data breaches, loss of customer trust, regulatory penalties, and operational downtime. Since the vulnerability requires no authentication or user interaction, it can be exploited by any remote attacker scanning for vulnerable endpoints. The lack of vendor response and absence of official patches increase the window of exposure, forcing organizations to implement their own mitigations. The impact is especially critical for applications handling sensitive personal, financial, or proprietary data. Additionally, exploitation could serve as a foothold for further attacks within compromised networks.

To mitigate CVE-2026-4190, organizations should immediately audit their use of the node-api-postgres library and identify any instances of versions 2.0 through 2.5. Until an official patch is released, developers should implement input validation and sanitization on the 'sort' parameter to ensure it only accepts predefined, safe values or use parameterized queries to prevent injection. Refactoring the User.getAll function to avoid direct string concatenation in SQL statements is critical. Employ Web Application Firewalls (WAFs) with SQL injection detection rules to block malicious payloads targeting this vulnerability. Monitor logs for suspicious query patterns or unusual database activity. If feasible, isolate database access and restrict permissions to minimize potential damage from exploitation. Organizations should also consider upgrading to a patched or alternative library version once available. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.