Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Admin role required to access SQL Collection (PR:H); scope changes as query reaches PostgreSQL system catalogs (S:C); confidentiality high (password hashes); no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. In 2.0.59 and earlier, NocoBase @nocobase/plugin-collection-sql used the checkSQL() function in packages/plugins/@nocobase/plugin-collection-sql/src/server/utils.ts with an incomplete keyword blacklist that did not restrict PostgreSQL system catalog tables such as pg_shadow, pg_roles, and pg_stat_activity, allowing an admin-role user to read password hashes and database metadata through the SQL Collection feature. This vulnerability is fixed in 2.1.0-alpha.46.
AnalysisAI
PostgreSQL password hash disclosure in NocoBase 2.0.59 and earlier allows an authenticated administrator to extract pg_shadow credential hashes and database metadata by submitting raw SQL queries that reference system catalog tables omitted from the checkSQL() keyword blacklist. The SQL Collection plugin's blocklist-based validation failed to restrict pg_shadow, pg_roles, pg_stat_activity, and information_schema, and the commit diff confirms the bypass also worked via subquery wrapping (e.g., SELECT * FROM (SELECT usename, passwd FROM pg_shadow) AS passwords). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated NocoBase admin-role account (confirmed by PR:H in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.8 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N captures the tension between high confidentiality impact and a high-privilege prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated NocoBase administrator navigates to the SQL Collection configuration interface and creates a new collection using the query SELECT usename, passwd FROM pg_shadow or its subquery variant SELECT * FROM (SELECT usename, passwd FROM pg_shadow) AS passwords. Both forms bypass the original keyword blacklist, and the application executes the query against PostgreSQL, returning bcrypt-hashed credentials for all database users. … |
| Remediation | Upgrade to NocoBase 2.1.0-alpha.46 or later, which expands the checkSQL() blocklist to include pg_catalog, pg_shadow, pg_authid, pg_auth_members, pg_roles, pg_stat_activity, and information_schema, and closes the subquery bypass vector. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44800