CVE-2026-28438

Description

### Impact The Doris target connector didn't verify the configured table name before creating some SQL statements (`ALTER TABLE`). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. ### Patches Yes, it's fixed in cocoindex 0.3.34: we start to validate table names passed to Doris target at entry point and error out immediately if it's not a valid identifier. ### Workarounds Users should make sure table names used to configure CocoIndex targets are valid, regardless of this fix. Which means - The table name comes from a trusted source (e.g. for most cases it's just a fixed string literal). - Even if it comes from an untrusted source (e.g. provided by end user), it should be validated before using it to configure the Doris target for CocoIndex.

How to fix CVE-2026-28438

To remediate CVE-2026-28438, upgrade the affected package to a fixed version below.

• —upgrade to 0.3.34 or later

Is CVE-2026-28438 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.3.34

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-28438
• PATCHgithub.com/cocoindex-io/cocoindex
• WEBgithub.com/cocoindex-io/cocoindex/commit/ba2fc4a89e22d35572c64bd2990737c7913b0729
• WEBgithub.com/cocoindex-io/cocoindex/security/advisories/GHSA-59g6-v3vg-f7wc