CVE-2026-30870 MEDIUM

CVE-2026-30870: Some sync filters in PowerSync Service ignored using `config.edition: 3`

Vendor Powersync-Ja

Product powersync-service

Weakness CWE-285

Published March 9, 2026

Last update March 10, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in 1.20.1.

Key dates

02Disclosure timeline

March 9, 2026 CVE published

March 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-30870 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

Identifiers

CVE CVE-2026-30870

CWE CWE-285

CVSS 6.5 / MEDIUM

Affected versions

Vendor Powersync-Ja

Product powersync-service

Affected < 1.20.1

Vendor @Powersync

Product service-core

Affected < 1.20.1

Vendor @Powersync

Product service-sync-rules

Affected < 0.33.0

CVE-2026-30870: Some sync filters in PowerSync Service ignored using `config.edition: 3`

01Description

02Disclosure timeline

03References

04Related CVE