Do Son 
Researchers have disclosed a critical-severity vulnerability in Firebird, the long-standing relational database with roots dating back to 1981, that allows attackers to execute arbitrary code with the highest system privileges, often bypassing existing security restrictions.
Tracked as CVE-2026-40342, the flaw has been assigned a maximum CVSS score of 10.0, reflecting its ease of exploitation and devastating potential impact.
The vulnerability is a classic Path Traversal (CWE-22) issue located within the engine/plugin loader. When a user executes a CREATE FUNCTION statement using the ENGINE keyword, Firebird attempts to load the specified plugin by building a file path.
Firebird takes the “engine name” provided in the SQL statement and simply appends it to the plugins directory string. The system does not filter for path separators (/ or \) or parent directory components (..).
An attacker can use a crafted name to “walk” out of the intended plugins folder and point the database to a malicious shared library anywhere on the filesystem.
One of the most alarming aspects of this bug is when the malicious code runs. Firebird uses standard OS functions like dlopen() on Linux/macOS or LoadLibraryEx() on Windows to load the file.
The initialization code (constructors or DllMain) of the loaded library runs immediately upon loading. This occurs before Firebird even has a chance to check if the file is a valid plugin. While the SQL statement eventually fails with a metadata error, the damage is already done: the attacker’s code has already executed inside the server process.
Any user with the permissions to run CREATE FUNCTION can trigger this exploit. Once triggered, the attacker gains code execution as the OS account running the Firebird process.
- On Linux: This is typically the firebird user or root in many container environments.
- On Windows: This often grants SYSTEM privileges.
From this vantage point, an attacker can read sensitive databases, move laterally through the network, or establish permanent persistence on the host.
Unlike legacy UDF (User Defined Function) paths, which have UdfAccess restrictions, this engine/plugin path has no allowlist or configuration options to lock it down in affected versions.
Administrators must update to the following patched versions immediately to secure their deployments:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
