What is the CVSS score of CVE-2026-28399?

CVE-2026-28399 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Nocodb are affected by CVE-2026-28399?

NocoDB users running versions prior to 0.301.3 face a SQL injection vulnerability that allows authenticated Creator-role users to execute arbitrary database commands.. A patch is available.

How to fix or mitigate CVE-2026-28399?

Within 24 hours: Audit all NocoDB instances to identify version and active Creator-role user accounts; disable or restrict Creator role access where possible. Within 7 days: Implement network segmentation to limit database access from NocoDB instances; deploy WAF rules blocking DATEADD formula injection patterns. Within 30 days: Upgrade to NocoDB version 0.301.3 or later once available; conduct full access review and privilege audit of Creator-role users.

Nocodb CVE-2026-28399

HIGH

SQL Injection (CWE-89)

2026-03-02 security-advisories@github.com

GHSA-45rp-9p97-h852

SQLi Nocodb

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Mar 02, 2026 - 17:16 nvd

HIGH 8.8

DescriptionGitHub Advisory

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.

AnalysisAI

SQL injection in NocoDB versions prior to 0.301.3 allows authenticated users with Creator role to execute arbitrary SQL commands through the DATEADD formula's unit parameter. This high-severity vulnerability enables attackers to compromise data confidentiality, integrity, and system availability with network access and low complexity. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as Creator user

Delivery

Access DATEADD formula interface

Exploit

Inject SQL in unit parameter

Execution

Execute arbitrary SQL commands

Impact

Exfiltrate or modify database

Access

Authenticate as Creator user

Delivery

Access DATEADD formula interface

Exploit

Inject SQL in unit parameter

Execution

Execute arbitrary SQL commands

Impact

Exfiltrate or modify database

Vulnerability AssessmentAI

Exploitation	Authenticated access with Creator role required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker (requires authentication) could exploit this vulnerability to compromise the affected system.
Remediation	Fixed in version 0.301.3.. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all NocoDB instances to identify version and active Creator-role user accounts; disable or restrict Creator role access where possible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-28399 vulnerability details – vuln.today

Back

Nocodb CVE-2026-28399

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code