CVE-2026-15043
HMBRAND · DBI::SQL::Nano
DBI::SQL::Nano for Perl incorrectly evaluates SQL WHERE predicates, leading to inverted comparisons for <= and >= operators.
Executive summary
A logic error in the DBI::SQL::Nano engine causes incorrect evaluation of SQL comparison operators, potentially leading to unauthorized data access or policy bypass.
Vulnerability
This vulnerability involves the use of incorrect operators (CWE-480) within the is_matched method of the SQL engine. The <= and >= operators are improperly mapped to Perl comparison logic, causing queries to return incorrect data sets when filtering file-backed tables.
Business impact
The business impact is significant when the software is used to enforce security policies or authorization logic via database queries. With a CVSS score of 9.8, the silent failure of these comparisons could result in unauthorized data exposure or the failure of critical integrity checks, potentially violating compliance requirements.
Remediation
Immediate Action: Upgrade the DBI module to version 1.651 or later to resolve the operator inversion logic.
Proactive Monitoring: Review application-level logs and database query results for unexpected filtering behavior or records that should have been excluded by security predicates.
Compensating Controls: Audit any application code that relies on DBI::SQL::Nano for authorization or sensitive data filtering to ensure that logic remains sound until patching is completed.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
While this is a logic-based flaw rather than a traditional injection, the impact on data integrity is severe. Organizations relying on file-backed DBI drivers should verify their version and apply the update as soon as possible.