DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-Q6WC-XX4M-92FJ: GHSA-q6wc-xx4m-92fj: Improper Authorization in PowerSync Service Sync Streams

#security #cve #cybersecurity #ghsa

GHSA-q6wc-xx4m-92fj: Improper Authorization in PowerSync Service Sync Streams

Vulnerability ID: GHSA-Q6WC-XX4M-92FJ
CVSS Score: 6.5
Published: 2026-03-07

A critical logic error in PowerSync Service version 1.20.0 causes the synchronization engine to ignore specific subquery filters when using the config.edition: 3 architecture. This flaw results in an authorization bypass where authenticated users may receive data intended solely for privileged accounts, such as administrators.

TL;DR

PowerSync Service 1.20.0 ignores certain WHERE clause filters in sync streams when using config.edition: 3. Authenticated users can unintentionally sync restricted data if access is controlled via non-partitioning subqueries. Patched in version 1.20.1.

Technical Details

  • CWE ID: CWE-285
  • Attack Vector: Network
  • CVSS Score: 6.5 (Medium)
  • Impact: High Confidentiality Loss
  • Component: @powersync/service-core
  • Exploit Status: No Active Exploitation Known

Affected Systems

  • PowerSync Service (Self-Hosted)
  • PowerSync Service Core (npm)
  • @powersync/service-core: = 1.20.0 (Fixed in: 1.20.1)
  • @powersync/service-sync-rules: <= 0.32.0 (Fixed in: 0.33.0)

Mitigation Strategies

  • Software Update
  • Configuration Rollback

Remediation Steps:

  1. Upgrade PowerSync Service: Update the @powersync/service-core package to version 1.20.1 or later.
  2. Upgrade Sync Rules: Update the @powersync/service-sync-rules package to version 0.33.0 or later.
  3. Verify Configuration: If immediate patching is not possible, revert the configuration to config.edition: 2 (if supported by your specific implementation) to use the legacy sync engine which is not affected.
  4. Restart Service: A restart is required to load the new code. No database migrations or manual data cleanup is required on the server side.
  5. Client Reconciliation: Clients connecting to the patched service will automatically undergo reconciliation. Data that was synced erroneously will be removed from the local device database by the PowerSync protocol.

References

Read the full report for GHSA-Q6WC-XX4M-92FJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)