CVE-2026-30870 in powersync-service
Summary
by MITRE • 03/10/2026
PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in 1.20.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/15/2026
The PowerSync Service represents a critical server-side component within the PowerSync sync engine architecture that manages data synchronization between client applications and backend systems. This vulnerability affects version 1.20.0 specifically when utilizing new sync streams with config.edition set to 3, creating a significant access control weakness that undermines the integrity of data partitioning mechanisms. The flaw manifests in the processing of subquery filters during synchronization operations, where certain filter conditions are being completely disregarded during the determination of which data should be accessible to authenticated users.
The technical implementation of this vulnerability stems from improper handling of subquery execution within the sync stream processing pipeline. When subqueries are employed to gate synchronization access, the system fails to properly evaluate all filter conditions that should restrict data visibility. This occurs specifically within the context of sync streams configured with config.edition: 3, where the partitioning logic becomes compromised. The vulnerability is classified as a privilege escalation issue under CWE-284 Access Control, where authenticated users can potentially access data that should be restricted based on their authorization levels. The flaw operates at the application layer and represents a direct violation of the principle of least privilege, as users may receive data that exceeds their intended access scope.
The operational impact of this vulnerability extends beyond simple data exposure, potentially enabling unauthorized data access that could compromise sensitive information. Depending on the specific sync stream configuration, users may gain access to restricted datasets that should only be available to authorized personnel or specific user groups. This creates a risk of data leakage and violates data confidentiality principles, particularly in environments where strict access controls are required. The vulnerability affects only queries that utilize subqueries without partitioning the result set, indicating that the flaw is specifically tied to how the system processes complex filtering operations rather than simple direct queries. This targeted nature suggests that the issue occurs within the data filtering and access control evaluation logic rather than broader system authentication mechanisms.
Mitigation strategies should focus on immediate deployment of the patched version 1.20.1, which resolves the subquery filter processing logic. Organizations should conduct thorough security assessments of their current sync stream configurations to identify any instances where config.edition: 3 is being utilized. Additionally, implementing comprehensive monitoring of sync stream activities and access patterns can help detect anomalous behavior that might indicate exploitation attempts. The vulnerability demonstrates the critical importance of proper access control implementation in distributed systems and highlights the need for regular security testing of synchronization mechanisms. From an ATT&CK perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as it enables unauthorized access to data through legitimate authenticated sessions, potentially allowing attackers to leverage compromised accounts to access restricted information. System administrators should also review and validate existing access control policies to ensure that data protection measures remain effective against similar implementation flaws in other components of the PowerSync ecosystem.