Skip to content

Nine CVEs in a single maintenance release!
What's up with that?

tl;dr

If you haven’t time to read this advisory in depth…​

  • Deploy the latest maintenance releases immediately, if you haven’t already done so.

  • Jump to the Recommendations below for tips on how to prevent most future attacks on a Firebird server.

Introduction

On 17th April 2026 the Firebird project released maintenance updates for all three currently supported branches of Firebird. These releases contained the usual minor improvements and a whole bunch of bug fixes. Nothing new there. But, unusually for the Firebird project, there were also nine CVE (Common Vulnerabilities and Exposures) reports.

Obviously it is recommended to update to the latest releases immediately but what if you can’t? There are many compelling reasons NOT to update.

  • Updating a component of a working application stack is worse than opening a can of worms. All sorts of unpleasant discoveries may be found:

    • poor or outdated deployment documentation

    • manual deployment steps required

    • important binaries no longer available

    • missing dependencies

    • dependencies based on obsolete functionality

    • the list goes on

  • Updates may introduce new bugs.

  • Updates require manpower hours to test and deploy. (And thus time stolen from product enhancements.)

  • When Firebird is part of a software package your customers might not want to upgrade for any or all of the above reasons.

Even when you want to update as soon as possible the event needs planning. Should you have updated yesterday? Can it wait a week or two?

In this advisory note we take a detailed look at each CVE. It is intended to help you assess the risks these vulnerabilities pose to your business or organisation and just how urgent (or not) you should apply the release.

Why so many Firebird CVEs all of a sudden?

A major sponsor of the Firebird project announced a bug hunt bounty. Several developers involved in the project answered the call. We suspect their efforts have been assisted by LLMs. The results are overwhelming - nine vulnerabilities discovered and fixed within the first four months of 2026.

It is likely that this trend will continue so expect more CVEs in forthcoming maintenance releases.

Important

Obviously this advisory only discusses Firebird vulnerabilities. But it is important to bear in mind the global context. The rise of LLMs makes discovering all vulnerabilities much easier. And all software is affected. It doesn’t matter whether it is open source or proprietary. Projects such as the linux kernel, or organisations such as Microsoft are struggling under the weight of new exploits being discovered every single day.

And due to LLMs it is to easier than ever to create exploits but then chain them together.

The CVEs

Intrusive attacks allowing access to data and loss of confidentiality

CVE-2026-40342 - Severity - HIGH 9.9/10

Path traversal when declaring external routine

Exploitability Impact
Attack vector:        Network
Attack complexity:    Low
Privileges required:  Low
User interaction:     None
Scope:                     Changed
(loss of) Confidentiality: High
(loss of) Integrity:       High
(loss of) Availability:    High

Warning

This vulnerability allows a bad actor to execute their code via a connection to a Firebird database. It is easy to execute and has the potential to give the attacker root or Administrator access to the host.

There are several mitigating factors, however.

  • The attacker must have a valid Firebird user name and password.

  • The attacker must know the name of a database on the server.

  • The Firebird user must have the CREATE OR ALTER FUNCTION privilege. Users, by default, do not have this privilege. However SYSDBA and the database owner do.

Servers most at risk are those that allow all access to a database via the SYSDBA password. It is not possible to remove privileges from SYSDBA and while disabling SYSDBA access might be possible it would create more problems than it would solve..

It is interesting to note that this CVE considers loss of availability as high. In fact stopping Firebird is the last thing an attacker would want as it would reveal their presence.

Mitigations possible
- Remove the create or alter function from users that do not need it.
- Change ALL Firebird user passwords immediately.
- Remove the employee database from server deployments
- Do not use a database alias name that matches the product name.

How to check if users have permission to create or alter functions
select r.RDB$USER, r.RDB$GRANTOR, r.RDB$PRIVILEGE, r.RDB$GRANT_OPTION
from RDB$USER_PRIVILEGES r
where r.rdb$relation_name = 'SQL$FUNCTIONS'

Note

SYSDBA and the database owner will NOT be included in this list.

CVE-2025-65104 - Severity - HIGH 7.9/10

Information leak vulnerability in firebird3 client when used with newer (>= 4) server

Exploitability Impact
Attack vector:       Local
Attack complexity:   Low
Privileges required: Low
User interaction:    None
Scope:                     Changed
(loss of) Confidentiality: Low
(loss of) Integrity:       High
(loss of) Availability:    Low

As the title suggests this CVE only affects the Firebird 3 client prior to v3.0.14. In addition the client must be used to connect to a Firebird v4 or v5 server.

  • This attack does require an authenticated user.

  • Data modification on the remote server is possible.

  • Scope of the attacker is considered changed although it does not seem as if the attacker can break out of Firebird.

Mitigations possible: Upgrade the Firebird 3 client to any Firebird 4 or Firebird 5 client.

In practical terms the effort required to mitigate will be equivalent to just applying the new Firebird 3 client.

Disruptive attacks leading to a denial of service with possible loss of integrity

CVE-2026-28224 - Severity - HIGH 8.2/10

CryptCallback Denial of Service

(No known CVE) - Severity - HIGH 8.2/10

Pre-Auth Denial of Service
Exploitability Impact
Attack vector:       Network
Attack complexity:   Low
Privileges required: None
User interaction:    None
Scope:                     Unchanged
(loss of) Confidentiality: None
(loss of) Integrity:       Low
(loss of) Availability:    High

Analysis of these two vulns indicates there is a small possiblility that writing to memory may be possible. Apart from that they share similar characteristics to the four DoS attacks in the next section.

These attacks are entirely dependent upon network access. The only requirement is that port 3050 must be available. No further knowledge about Firebird is needed.

Mitigations possible: If it is not possible to apply a patched release then steps should be taken to ensure that access to the Firebird port (usually 3050) is limited as much as possible.

Disruptive attacks leading to a denial of service with no loss of integrity

Severity - HIGH 7.5/10

Exploitability Impact
Attack vector:       Network
Attack complexity:   Low
Privileges required: None
User interaction:    None
Scope:                     Unchanged
(loss of) Confidentiality: None
(loss of) Integrity:       None
(loss of) Availability:    High

These four all have the same characteristics:

  • Accessible via the network

  • Easy to set up and execute

  • Require no special privileges

  • Require no knowledge of any database

  • Server crash is guaranteed

  • No possibility of internal access

In addition it is likely that these bugs have existed in the code since the Borland InterBase days, or perhaps even longer.

Mitigations possible: As above, these attacks are entirely dependent upon network access. If it is not possible to apply a patched release then steps should be taken to ensure that access to the Firebird port (usually 3050) is limited as much as possible.

Severity - MEDIUM 6.5/10

Exploitability Impact
Attack vector:       Network
Attack complexity:   Low
Privileges required: Low
User interaction:    None
Scope:                     Unchanged
(loss of) Confidentiality: None
(loss of) Integrity:       None
(loss of) Availability:    High

Unlike the previous DoS attacks this one requires a valid username and password to connect to a valid database.

Given that there are much easier DoS attacks (see above) it is doubtful that this particular exploit will be ever be used.

That said, it is a reminder that Firebird user logins and passwords should be carefully controlled. Database aliases should also be protected where possible and example databases such as employee should never be deployed to production servers.

Recommendations

There are four recurring themes in these attacks:

  1. Availability of network access
    Limiting access to appropriate subnets automatically reduces the attack surface.
    But be aware that other, non-Firebird related vulnerabilities could be used to gain access to your internal network.

  2. Knowledge of a valid database.
    Some attacks just need to know a database name.

    • Stop deploying the employee database to production servers.

    • Do not create a database alias that matches the product name.

  3. Knowledge of a valid password.
    Change all Firebird passwords regularly and the most serious intrusion attacks will be far more difficult to mount.

  4. Stop using SYSDBA for all database access
    We are no longer in the 20th century.

  5. Limit access to Firebird usernames with elevated access permissions

    • Almost no-one should have access to the SYSDBA password.

    • Each database should have a database owner other than SYSDBA.
      Use of that username/password should also be limited to trusted users.

    • All Firebird users should have minimal permissions.

    • When elevated permissions are necessary the actions should be carried out using ROLEs that must be acquired only as needed.

If you apply the above principles to all your Firebird deployments you will be protected from almost all future Firebird vulnerabilities before they even occur.

Note

The above is not an exhaustive list of all aspects of Firebird database security. It is intended to help minimize the surface area available to attackers. It does not replace standard security measures.

Where to download the binaries

The Firebird Project has fixed these security risks in the latest releases of all branches currently supported:

Firebird 5.0.4

Firebird 4.0.7

Firebird 3.0.14

How to upgrade

Before upgrading to a new maintenance release be sure that you have backed up your databases and verified they can be restored.