CVE-2026-8462: OpenMeter: SQL injection through meter creation
An authenticated tenant can inject arbitrary SQL through the valueProperty or groupBy fields of POST /api/v1/meters. The injection passes the application’s JSONPath validation check and executes against the shared ClickHouse database, which contains event data for all tenants with no row-level security. Any authenticated tenant can read or write every other tenant’s metering data.
References
- github.com/advisories/GHSA-wc3v-3457-c8cm
- github.com/openmeterio/openmeter/commit/6ce29e743165890c10346f4c71d5bf79f1ecaf6f
- github.com/openmeterio/openmeter/pull/4383
- github.com/openmeterio/openmeter/releases/tag/v1.0.0-beta.228
- github.com/openmeterio/openmeter/security/advisories/GHSA-wc3v-3457-c8cm
- nvd.nist.gov/vuln/detail/CVE-2026-8462
Code Behaviors & Features
Detect and mitigate CVE-2026-8462 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →