PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3`

Severity:: Medium

Description

In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users.

Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted.

Recommendation

Update the @powersync/service-sync-rules package to the latest compatible version. Followings are version details:

Affected version(s): = 0.32.0
Patched version(s): 0.33.0

References

GHSA-q6wc-xx4m-92fj
CVE-2026-30870
CWE-285
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3` (GHSA-q6wc-xx4m-92fj) - CVE-2026-30870
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. - CVE-2026-32763
Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
Parse Server: MFA recovery code single-use bypass via concurrent requests - CVE-2026-33624

Tags:: npm; @powersync/service-sync-rules

Anything's wrong? Let us know Last updated on March 23, 2026