CVE-2026-46421 in cap-js
Summary
by MITRE • 07/15/2026
The SAP Cloud Application Programming Model is a tool for building enterprise-grade cloud applications, and cap-js/cds-dbs is the monorepo for SQL database services for that tool. On April 29, 2026, compromised versions of `@cap-js/[email protected]`, `@cap-js/[email protected]`, and `@cap-js/[email protected]` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that machine (npm tokens, cloud provider credentials, SSH keys, GitHub PATs) should be considered compromised. User should upgrade to `@cap-js/sqlite` >= 2.4.0, `@cap-js/postgres` >= 2.3.0, `@cap-js/db-service` >= 2.11.0. If a compromised version was ever installed, rotate all affected credentials. No known workarounds are available.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The SAP Cloud Application Programming Model represents a significant framework for developing enterprise cloud applications, with cap-js/cds-dbs serving as the foundational monorepo for SQL database services within this ecosystem. The compromise of specific package versions on April 29, 2026, introduced a sophisticated supply chain attack targeting the core infrastructure components that developers rely upon for building and deploying cloud applications. This attack exploited the trust developers place in npm packages by embedding malicious code within legitimate-looking versions of critical database service modules.
The technical flaw manifests through malicious code execution within the compromised packages cap-js/sqlite2.2.2, cap-js/postgres2.2.2, and cap-js/db-service2.10.1 which function as database abstraction layers in the SAP CAP framework. These packages contain code that systematically harvests credentials from the local environment where they are installed, collecting npm tokens, cloud provider credentials, SSH keys, and GitHub personal access tokens. The malicious behavior extends beyond simple credential harvesting to include self-propagation mechanisms that attempt to spread the compromise to other systems or installations.
The operational impact of this vulnerability is severe and far-reaching for organizations utilizing SAP CAP applications, as it fundamentally compromises the security posture of development environments and production systems. When compromised versions are installed, attackers gain access to all credentials accessible on that machine, creating a vector for lateral movement and persistent access to cloud resources, source code repositories, and infrastructure. This represents a critical failure in supply chain security where developers' local environments become attack vectors for broader organizational compromise.
The remediation strategy requires immediate upgrade to patched versions of the affected packages, with specific version requirements of cap-js/sqlite >= 2.4.0, cap-js/postgres >= 2.3.0, and @cap-js/db-service >= 2.11.0 to eliminate the malicious code execution paths. Organizations must implement comprehensive credential rotation procedures for all affected systems, as the compromised packages could have harvested credentials over extended periods. This vulnerability aligns with CWE-502 (Deserialization of Untrusted Data) and represents a supply chain compromise pattern that maps to ATT&CK technique T1136.2 (Create or Modify System Process - Web Shell) and T1583.001 (Acquire Infrastructure - Domains) when considering the propagation mechanisms.
Security practitioners should implement continuous monitoring for similar supply chain attacks, establish package integrity verification processes using tools like npm audit or Snyk, and consider implementing software composition analysis to detect compromised dependencies in development environments. The attack demonstrates how modern development frameworks can become attack vectors when dependency management practices do not include proper verification of package authenticity and integrity, highlighting the critical need for secure software supply chain practices that align with NIST SP 800-161 guidance on software supply chain security.