Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.
Details
The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped.
Impact
SQL injection against the connected database with read access to any expression an attacker can place in a column title. Exploitation requires an authenticated session with permission to create or rename columns.
Credit
This issue was reported by @geo-chen.
AnalysisAI
SQL injection in NocoDB's bulk groupBy endpoint allows authenticated users holding column-create or column-rename permissions to read arbitrary data from the connected database by crafting a malicious column title. Affected versions are all NocoDB npm releases up to and including 2026.05.0; a vendor-released patch is available in 2026.05.1. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low complexity of exploitation once authenticated and the direct database read impact make prompt patching a priority for any internet-exposed NocoDB deployment.
Technical ContextAI
NocoDB is an open-source no-code database platform distributed as an npm package (pkg:npm/nocodb). The affected code paths are in group-by.ts, which constructs database-specific Knex ORM aggregation queries using knex.raw() - a low-level escape hatch that bypasses Knex's built-in parameterization when user-controlled strings are interpolated directly into the SQL template. The root bypass lives in data-table.service.ts: column resolution matches on both the sanitized column_name field and the free-text title field. Because the bulk groupBy endpoint maintains a column allowlist keyed on column_name, an attacker who sets a column's title to a SQL fragment causes the lookup to resolve the column via the unsanitized title path, delivering the fragment directly into the raw SQL string. This is a textbook CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) defect, specifically a second-order injection variant where the malicious payload is stored in the column title before being consumed by the query builder.
RemediationAI
Upgrade NocoDB to version 2026.05.1 or later; this is the vendor-confirmed fix version per the GitHub release at https://github.com/nocodb/nocodb/releases/tag/2026.05.1 and the security advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-p8wx-5f39-w3x4. For deployments where immediate upgrade is not feasible, restrict column-create and column-rename permissions to only the smallest set of highly trusted accounts - this directly eliminates the attacker's ability to set a malicious column title and is the most effective compensating control. Note that this restriction may impact collaborative workflows where multiple users manage table schema. As an additional layer, limit network access to NocoDB's API to internal networks or authenticated VPN users, reducing the exposure window for any compromised collaborator account. There is no indication that disabling a specific feature flag or endpoint is possible as a workaround without modifying application code.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38616
GHSA-p8wx-5f39-w3x4