PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3`

Severity:: Medium

Description

In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users.

Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted.

Recommendation

Update the @powersync/service-sync-rules package to the latest compatible version. Followings are version details:

Affected version(s): = 0.32.0
Patched version(s): 0.33.0

References

GHSA-q6wc-xx4m-92fj
CVE-2026-30870
CWE-285
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3` - @powersync/service-core - CVE-2026-30870
Angular Expressions - Remote Code Execution using filters - CVE-2026-44643
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) - CVE-2026-41478
Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @powersync/service-sync-rules

Anything's wrong? Let us know Last updated on March 23, 2026