CVE-2026-4190 identifies a SQL injection vulnerability in the JawherKl node-api-postgres package, specifically in the User.getAll function located in models/user.js. The vulnerability arises from improper handling of the 'sort' argument, which is directly incorporated into SQL queries without adequate sanitization or parameterization. This allows an attacker to craft malicious input that alters the intended SQL command, potentially exposing or modifying sensitive database information. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing the attack surface. The CVSS 4.0 score of 6.9 reflects a medium severity, indicating a significant but not critical risk. The vendor has been contacted but has not provided a patch or mitigation guidance, and public exploit code is available, increasing the likelihood of exploitation. The affected versions range from 2.0 through 2.5 of the node-api-postgres package, widely used in Node.js applications interfacing with PostgreSQL databases. The lack of scope change means the impact is limited to the affected component, but the confidentiality, integrity, and availability of the database can be partially compromised. This vulnerability highlights the importance of proper input validation and use of parameterized queries in preventing SQL injection attacks.

The SQL injection vulnerability in node-api-postgres can lead to unauthorized access to sensitive data, data corruption, or denial of service by manipulating database queries. Organizations relying on this package for backend services risk exposure of user data, intellectual property, or operational data. Attackers can exploit this flaw to extract confidential information, modify or delete records, or disrupt service availability. Given the remote and unauthenticated nature of the exploit, any publicly accessible service using the affected package is vulnerable. This can result in reputational damage, regulatory penalties due to data breaches, and operational downtime. The medium severity rating suggests that while the impact is serious, it may not lead to full system compromise without additional vulnerabilities. However, combined with other weaknesses, it could facilitate broader attacks. The absence of vendor response and patches increases the urgency for organizations to implement their own mitigations or consider alternative solutions.

To mitigate CVE-2026-4190, organizations should immediately audit their use of the node-api-postgres package, specifically the User.getAll function and any usage of the 'sort' parameter. Implement strict input validation and sanitization to ensure that only expected values are accepted for sorting, ideally using a whitelist of allowed column names. Refactor SQL queries to use parameterized statements or prepared queries rather than string concatenation to prevent injection. If possible, upgrade to a patched version once available or switch to an alternative, actively maintained package with secure coding practices. Employ Web Application Firewalls (WAFs) with SQL injection detection rules to provide an additional layer of defense. Monitor logs for suspicious query patterns indicative of injection attempts. Conduct regular security assessments and code reviews focusing on database interaction layers. Finally, isolate database access with least privilege principles to limit the impact of any successful injection.