CVE-2026-46421
CRITICAL
9.3
CVSS 4.0
Description
The SAP Cloud Application Programming Model is a tool for building enterprise-grade cloud applications, and cap-js/cds-dbs is the monorepo for SQL database services for that tool. On April 29, 2026, compromised versions of `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, and `@cap-js/db-service@2.10.1` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised. User should upgrade to `@cap-js/sqlite` >= 2.4.0, `@cap-js/postgres` >= 2.3.0, `@cap-js/db-service` >= 2.11.0. If a compromised version was ever installed, rotate all affected credentials. No known workarounds are available.
Metadata
Severity & Metrics
9.3
CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Affected products (3)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| @cap-js/db-service | @cap-js/db-service | — | = 2.10.1 |
| cap-js | @cap-js/postgres | — | = 2.2.2 |
| cap-js | @cap-js/sqlite | — | = 2.2.2 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-506 | cna | CWE-506: Embedded Malicious Code |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 9.3 | CRITICAL | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (4)
- https://github.com/cap-js/cds-dbs/security/advisories/GHSA-pvw4-cvr4-97p8 https://github.com/cap-js/cds-dbs/security/advisories/GHSA-pvw4-cvr4-97p8
- https://me.sap.com/notes/3747787 https://me.sap.com/notes/3747787
- https://www.sap.com/documents/2026/05/8203a8b9-4d7f-0010-bca6-c68f7e60039b.html https://www.sap.com/documents/2026/05/8203a8b9-4d7f-0010-bca6-c68f7e60039b.html
- https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared