GHSA-38CW-85XC-XR9X

Identity Crisis: Dumping Veramo's Digital Wallets via SQL Injection

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 17, 2026·5 min read·18 visits

Executive Summary (TL;DR)

The Veramo framework, designed for Self-Sovereign Identity (SSI), contained a massive hole in its data access layer. By manipulating the `order` parameter in API requests, attackers could force the application to execute arbitrary SQL. This bypasses the ORM's protections, allowing full database dumps. If you run Veramo < 6.0.2, your DIDs and private keys are compromised.

A critical SQL injection vulnerability in the Veramo framework's data storage layer allows authenticated attackers to manipulate query ordering parameters, enabling the exfiltration of sensitive data—including private keys and verifiable credentials—from the underlying database.

Official Patches

VeramoCommit fixing the vulnerability via column whitelisting
VeramoPull Request #1482 details

Fix Analysis (1)

Technical Appendix

CVSS Score
6.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Systems

Veramo Framework@veramo/data-store@veramo/data-store-json

Affected Versions Detail

Product
Affected Versions
Fixed Version
@veramo/data-store
Veramo
< 6.0.26.0.2
@veramo/data-store-json
Veramo
< 6.0.26.0.2
AttributeDetail
CWE IDCWE-89 (SQL Injection)
CVSS Score6.8 (Medium)
Attack VectorNetwork (Authenticated)
ImpactHigh (Confidentiality & Integrity)
Vulnerable ComponentdecorateQB()
Fix TypeInput Validation (Whitelist)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1505Server Software Component
Persistence
T1555Credentials from Password Stores
Credential Access
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Vulnerability Timeline

Patch Released in v6.0.2
2026-01-16
Advisory Published
2026-01-16

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.