Search criteria Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.

1 vulnerability by @powersync

CVE-2026-30870 (GCVE-0-2026-30870)

Vulnerability from cvelistv5 – Published: 2026-03-09 22:31 – Updated: 2026-03-10 14:14
VLAI?
Title
Some sync filters in PowerSync Service ignored using `config.edition: 3`
Summary
PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in 1.20.1.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
powersync-ja powersync-service Affected: < 1.20.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30870",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T14:14:10.547827Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T14:14:17.271Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "powersync-service",
          "vendor": "powersync-ja",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.20.1"
            }
          ]
        },
        {
          "product": "service-core",
          "vendor": "@powersync",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.20.1"
            }
          ]
        },
        {
          "product": "service-sync-rules",
          "vendor": "@powersync",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.33.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in 1.20.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-09T22:31:40.035Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/powersync-ja/powersync-service/security/advisories/GHSA-q6wc-xx4m-92fj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/powersync-ja/powersync-service/security/advisories/GHSA-q6wc-xx4m-92fj"
        }
      ],
      "source": {
        "advisory": "GHSA-q6wc-xx4m-92fj",
        "discovery": "UNKNOWN"
      },
      "title": "Some sync filters in PowerSync Service ignored using `config.edition: 3`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30870",
    "datePublished": "2026-03-09T22:31:40.035Z",
    "dateReserved": "2026-03-06T00:04:56.698Z",
    "dateUpdated": "2026-03-10T14:14:17.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}