GHSA-wc3v-3457-c8cm: OpenMeter: SQL injection through meter creation
Summary
OpenMeter has a SQL injection vulnerability (a flaw that lets attackers insert malicious database commands) in its meter creation endpoint. An authenticated tenant can inject arbitrary SQL through the `valueProperty` or `groupBy` fields, bypassing validation and executing commands against the shared ClickHouse database (the system that stores event data for all tenants), allowing any tenant to read or modify other tenants' metering data.
Solution / Mitigation
Replace `fmt.Sprintf` string interpolation with `sb.Var()`, which appends the value to the builder's args list and emits a `?` placeholder. Specifically, change: `sb.Select(fmt.Sprintf("JSON_VALUE('{}', '%s')", sqlbuilder.Escape(d.jsonPath)))` to `sb.Select(fmt.Sprintf("JSON_VALUE('{}', %s)", sb.Var(d.jsonPath)))`.
Vulnerability Details
EPSS: 0.0%
Yes
June 4, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-wc3v-3457-c8cm
First tracked: June 4, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%