## [CRITICAL] SQL Injection in /login Endpoint Exploited in Production — Authentication Bypass Confirmed
A critical SQL injection vulnerability in a production authentication system has been actively exploited, allowing attackers to bypass login security. The flaw, located in the `/login` endpoint, was detected through production log analysis, confirming that an attacker successfully authenticated as an administrative user using a simple injection payload. This incident exposes a fundamental failure in input sanitization, directly compromising the core authentication mechanism.

The vulnerability stems from the `login()` function in `app/app.py`, which constructs SQL queries using Python f-strings with unsanitized user input. The specific code `query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"` is directly executed, creating a textbook injection point. Evidence from the logs shows an attacker submitted a payload with the username `admin' --` and an arbitrary password, which manipulated the query to log in as the `admin` account without a valid password.

This active exploitation signals a severe security lapse, placing all user data and system integrity at immediate risk. The incident triggers urgent scrutiny of the codebase for similar patterns and demands a comprehensive review of authentication and data access controls. The fact that such a basic vulnerability reached and was exploited in a production environment raises critical questions about the security review and deployment processes in place.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: SQL Injection, Authentication Bypass, Production Exploit, Security Vulnerability, Code Vulnerability
- **Credibility**: unverified
- **Published**: 2026-04-05 16:26:57
- **ID**: 50653
- **URL**: https://whisperx.ai/en/intel/50653