Intel

AIKIDO-2026-590122

activity_notification is vulnerable to SQL Injection

SQL InjectionGHSA-h5xx-m7vj-5vg2 Published Today

98

Critical Risk

This Affects:

RUBYactivity_notification
1.0.1 - 2.6.1
Fixed in 2.7.0
Are you affected? Scan for Free

TL;DR

The bulk notification endpoints open_all and destroy_all in NotificationsController forward unfiltered request parameters to the model layer, where a custom_filter value is passed directly to ActiveRecord where as a raw SQL string. An attacker can supply a crafted custom_filter to inject arbitrary SQL conditions, and two of the affected API endpoints are reachable without authentication. This allows mass modification or deletion of notification records and boolean-based blind data exfiltration. The fix restricts the controllers to a permitted set of filter keys and rejects a raw SQL string custom_filter by raising an error before it reaches the query.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

activity_notification is vulnerable to SQL Injection in versions 1.0.1 - 2.6.1.

How to fix this

Upgrade the activity_notification library to the patch version.