Firebird patches path traversal engine loader enabling code execution

2 min readPublished 17 Apr 2026Updated 17 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-40342 News Databases RCE

TL;DR — A path traversal in Firebird’s external engine plugin loader lets a user with CREATE FUNCTION load arbitrary shared libraries and execute their initialization code inside the database server process.

What happened

Firebird is an open-source relational database management system used as an embedded or standalone SQL database server.

CVE-2026-40342 describes a Critical (CVSS 10.0) issue where Firebird’s external engine plugin loader builds a filesystem path by concatenating a user-supplied engine name (from CREATE FUNCTION ... ENGINE "<name>") without filtering path separators or ... This allows an authenticated user with CREATE FUNCTION privileges to traverse paths and load an arbitrary shared library from elsewhere on the filesystem.

The key operational detail is that the shared library’s initialization code executes immediately during loading (e.g., during dlopen() / LoadLibraryEx()), before Firebird validates the module, enabling code execution as the Firebird server’s OS account.

Why it matters: database servers are frequently reachable from application networks, and “low” database privileges like CREATE FUNCTION can be present in real deployments (or obtained post-compromise). Plugin/extension loading paths are also a recurring escape hatch from “DB-only” impact into full host compromise.

Who is impacted

Deployments running Firebird server versions in the affected ranges below.
Environments where application or tenant roles have been granted CREATE FUNCTION (directly or indirectly), because this becomes an escalation path from database privileges into OS-level code execution.

Component	Affected versions (per CVE record)	Patched versions (per CVE record)
`firebird`	`< 3.0.14`	`3.0.14`
`firebird`	`>= 4.0.0, < 4.0.7`	`4.0.7`
`firebird`	`>= 5.0.0, < 5.0.4`	`5.0.4`

What to do now

Follow vendor remediation guidance and apply a patched Firebird release.

"Patched versions: Firebird 5.0.4, 4.0.7, 3.0.14"
Inventory Firebird instances (VMs, bare metal, containers) and map deployed versions to the affected ranges; prioritize internet-exposed or broadly reachable database endpoints.
Review and minimize database privileges that enable exploitation (notably CREATE FUNCTION), treating this as a privilege-to-RCE escalation path.
Re-evaluate filesystem write paths reachable from the Firebird service account; the advisory notes this becomes “specially dangerous” when ExternalFileAccess is set to a non-default value that enables writes to the host filesystem.
If compromise is suspected, hunt for suspicious DDL activity (e.g., CREATE FUNCTION statements with unexpected ENGINE identifiers containing traversal-style components) and rotate credentials/secrets reachable from the database host per your incident response playbooks.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.