Critical SQL Injection Flaw in Auth Endpoint Exposes Credentials, Enables Full Database Breach

A critical SQL injection vulnerability has been identified in the `/api/auth/login` authentication endpoint, according to a security scan flagged through Snyk. The flaw stems from user-supplied input being concatenated directly into SQL queries without parameterization, creating a direct path for attackers to manipulate database commands. The vulnerability carries a CVSS score of 9.8, placing it in the critical severity range.

The issue was discovered in two core files: `src/auth/login.py` at line 42 and `src/auth/session.py` at line 15. Security researchers demonstrated the exploit by entering the payload `' OR 1=1 --` as a username while providing any value for the password field. The attack succeeded, bypassing authentication entirely and logging the attacker into the first user account present in the database. This method grants immediate access to whatever account appears first in the database structure, regardless of credentials.

The implications extend far beyond unauthorized login. Attackers exploiting this flaw could achieve full database access, exposing user credentials, personally identifiable information (PII), and any sensitive data stored within. The vulnerability also creates conditions for data exfiltration and deletion, posing risks of large-scale data loss or exposure. Immediate remediation requires replacing all string concatenation in the affected SQL queries with parameterized queries, a standard secure coding practice that separates query logic from user input. Organizations using this authentication system face urgent pressure to apply patches or workarounds before active exploitation occurs.