CVE-2026-15043

HMBRAND · DBI::SQL::Nano

DBI::SQL::Nano for Perl incorrectly evaluates SQL WHERE predicates, leading to inverted comparisons for <= and >= operators.

Executive summary

A logic error in the DBI::SQL::Nano engine causes incorrect evaluation of SQL comparison operators, potentially leading to unauthorized data access or policy bypass.

Vulnerability

This vulnerability involves the use of incorrect operators (CWE-480) within the is_matched method of the SQL engine. The <= and >= operators are improperly mapped to Perl comparison logic, causing queries to return incorrect data sets when filtering file-backed tables.

Business impact

The business impact is significant when the software is used to enforce security policies or authorization logic via database queries. With a CVSS score of 9.8, the silent failure of these comparisons could result in unauthorized data exposure or the failure of critical integrity checks, potentially violating compliance requirements.

Remediation

Immediate Action: Upgrade the DBI module to version 1.651 or later to resolve the operator inversion logic.

Proactive Monitoring: Review application-level logs and database query results for unexpected filtering behavior or records that should have been excluded by security predicates.

Compensating Controls: Audit any application code that relies on DBI::SQL::Nano for authorization or sensitive data filtering to ensure that logic remains sound until patching is completed.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

While this is a logic-based flaw rather than a traditional injection, the impact on data integrity is severe. Organizations relying on file-backed DBI drivers should verify their version and apply the update as soon as possible.