Critical SQL Injection in Healthcare Provider Authentication Exposes All Patient Records

A critical SQL injection vulnerability in a healthcare provider authentication system allowed attackers to bypass login entirely and execute arbitrary SQL commands, potentially exposing all patient records across all facilities. The flaw, rated a maximum severity 9.8 on the CVSS scale, was found in the `authenticate_user` function, which directly concatenated user input—including username, password hash, and facility ID—into SQL query strings using Python f-strings. This insecure construction created a direct path for attackers to manipulate the database.

The vulnerable code, located in `src/auth/login.py`, built queries by inserting user-controlled variables directly into the SQL command. This meant an attacker could craft malicious input to not only log in as any user but also run any command against the `healthcare_providers` table. The system's reliance on this flawed authentication logic turned a simple login attempt into a potential full-scale database compromise.

The fix replaces the dangerous string concatenation with proper parameterized queries, which separate code from data. This vulnerability underscores a severe failure in secure coding practices for a system handling highly sensitive health information, directly violating NIST cybersecurity framework controls for identity management and access control (PR.AC-1, PR.AC-2). The incident highlights the catastrophic consequences that a single, common coding error can have when it sits at the core of a critical application's security gate.