Corteza SQL Injection Flaw CVE-2026-6093 Lets Attackers Dump Databases

Executive Summary

Corteza, an open-source low-code platform, contains a SQL injection vulnerability in its Microsoft SQL Server (MSSQL) backend that lets unauthenticated attackers extract arbitrary database contents. Tracked as CVE-2026-6093, the flaw resides in how the platform filters Compose records by the meta field. The vulnerability affects Corteza version 2024.9.8, according to a disclosure published by Fluid Attacks on their advisory portal. No CVSS score has been assigned as of publication, but the unauthenticated, remotely exploitable nature of the flaw places it in critical-severity territory for any deployment using MSSQL as the backend database.

Technical Analysis

Corteza is a low-code application development platform written in Go that allows organizations to build custom business applications through a web interface. It supports multiple database backends, including PostgreSQL, MySQL, and Microsoft SQL Server. The vulnerability disclosed by Fluid Attacks specifically targets installations configured with MSSQL.

The SQL injection occurs in the Compose record filtering functionality when the platform processes queries against the meta field. The advisory states that the flaw is present "when filtering Compose records by the meta field" in the MSSQL backend. This suggests the application fails to properly sanitize or parameterize user-supplied input passed to SQL queries that filter records based on metadata attributes.

Because the vulnerability is accessible through the Compose record filtering endpoint, an attacker does not need authentication to trigger it. A remote, unauthenticated attacker can craft HTTP requests containing malicious SQL statements in the meta-field filter parameter. The MSSQL backend then executes these injected statements, potentially allowing the attacker to enumerate database tables, extract user credentials, access application data, or pivot to other systems connected to the same database server.

The advisory does not specify whether the injection is time-based or error-based, nor does it detail the exact HTTP endpoint or parameter structure. However, SQL injection in low-code platforms is particularly dangerous because these systems often store sensitive business data, user accounts, and integration credentials in the same database.

Mitigations & Recommendations

Corteza administrators running version 2024.9.8 with MSSQL backend should immediately restrict network access to the Corteza web interface until a patched version is released. If the platform cannot be taken offline, deploy a web application firewall (WAF) with rules to block SQL injection patterns in query parameters, particularly those targeting the Compose record filtering endpoints.

Organizations should also audit database logs for unusual queries originating from the Corteza application service account — look for UNION, SELECT, INSERT, or EXEC statements appended to meta-field filter queries. Given the lack of a published patch at this time, defenders should consider temporarily migrating the backend database to PostgreSQL or MySQL if feasible, as the advisory indicates the flaw is specific to the MSSQL backend.

Monitor Fluid Attacks' advisory page and the Corteza GitHub repository for patch announcements. Until a fix is available, the most effective mitigation is to isolate the Corteza instance from untrusted networks.