PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3` (GHSA-q6wc-xx4m-92fj)

Severity:: Medium

Description

In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users.

Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted.

Recommendation

Update the @powersync/service-core package to the latest compatible version. Followings are version details:

Affected version(s): = 1.20.0
Patched version(s): 1.20.1

References

GHSA-q6wc-xx4m-92fj
CVE-2026-30870
CWE-285
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3` - CVE-2026-30870
Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering (GHSA-j62c-4x62-9r35) - CVE-2025-67647
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. - CVE-2026-32763

Tags:: npm; @powersync/service-core

Anything's wrong? Let us know Last updated on March 23, 2026