## [CRITICAL] SQL Injection in Production /login Endpoint Exposes Authentication System
A critical SQL injection vulnerability has been discovered in the production authentication system, allowing attackers to bypass login security and potentially exfiltrate sensitive user data. The flaw resides in the `/login` POST endpoint, where unsanitized user input is directly interpolated into SQL queries using Python f-strings, creating a direct path for exploitation. Analysis of production logs from April 1, 2026, confirms the vulnerability is active and exploitable in the live environment.

The vulnerable code is located in the `app/app.py` file within the `login()` function. It constructs a query by directly embedding user-supplied `username` and `password` parameters, as shown: `query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"`. A proof-of-concept exploit demonstrates the severity: submitting a payload with `username` set to `admin' --` and any `password` value results in the query `SELECT * FROM users WHERE username = 'admin' --' AND password = 'anything'`, effectively commenting out the password check and granting unauthorized admin access.

The business impact is immediate and severe, encompassing full authentication bypass, significant data exfiltration risk from the underlying database, potential regulatory exposure under frameworks like GDPR, and substantial reputational damage. The suggested fix involves migrating to parameterized queries to properly sanitize all user inputs, a fundamental security practice that was evidently overlooked in this critical authentication flow.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, sql-injection, authentication, production
- **Credibility**: unverified
- **Published**: 2026-04-05 17:26:59
- **ID**: 50686
- **URL**: https://whisperx.ai/en/intel/50686