{"data":{"id":"223518e0-5c0e-43fe-9baa-c6ea94177cff","title":"GHSA-wc3v-3457-c8cm: OpenMeter: SQL injection through meter creation","summary":"OpenMeter has a SQL injection vulnerability (a flaw that lets attackers insert malicious database commands) in its meter creation endpoint. An authenticated tenant can inject arbitrary SQL through the `valueProperty` or `groupBy` fields, bypassing validation and executing commands against the shared ClickHouse database (the system that stores event data for all tenants), allowing any tenant to read or modify other tenants' metering data.","solution":"Replace `fmt.Sprintf` string interpolation with `sb.Var()`, which appends the value to the builder's args list and emits a `?` placeholder. Specifically, change: `sb.Select(fmt.Sprintf(\"JSON_VALUE('{}', '%s')\", sqlbuilder.Escape(d.jsonPath)))` to `sb.Select(fmt.Sprintf(\"JSON_VALUE('{}', %s)\", sb.Var(d.jsonPath)))`.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-wc3v-3457-c8cm","publishedAt":"2026-06-04T18:39:52.000Z","cveId":"CVE-2026-8462","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["github.com/openmeterio/openmeter@< 1.0.0-beta.228 (fixed: 1.0.0-beta.228)"],"affectedVendors":[],"affectedVendorsRaw":["OpenMeter","Anthropic"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-04T18:39:52.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}