GHSA-mjw2-v2hm-wj34: Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
Summary
Dagster had a SQL injection vulnerability (a security flaw where attackers can insert malicious SQL commands into database queries) in its database I/O managers (tools that read and write data to databases like DuckDB, Snowflake, and BigQuery). Users with permission to add dynamic partitions (flexible data groupings) could create partition keys that contained SQL commands, which would then execute against the database with the I/O manager's credentials, potentially allowing unauthorized data access or modification.
Solution / Mitigation
Update to the patched versions of Dagster. The fix ensures that partition key values are properly escaped before inclusion in SQL queries across all affected I/O managers. No configuration changes or workarounds are required alongside the update; only the Dagster code version needs to be updated. If unable to apply the update, manual workarounds are described in the referenced gist (https://gist.github.com/gibsondan/6d0c483f8499a8b1cd460cddc9fd8f72).
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-mjw2-v2hm-wj34
First tracked: April 18, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 85%