Skip to main content

NocoDB EUVDEUVD-2026-38616

| CVE-2026-47384 MEDIUM
SQL Injection (CWE-89)
2026-06-05 https://github.com/nocodb/nocodb GHSA-p8wx-5f39-w3x4
5.3
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 21:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 05, 2026 - 16:54 vuln.today
Analysis Generated
Jun 05, 2026 - 16:54 vuln.today

DescriptionCVE.org

Summary

An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.

Details

The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped.

Impact

SQL injection against the connected database with read access to any expression an attacker can place in a column title. Exploitation requires an authenticated session with permission to create or rename columns.

Credit

This issue was reported by @geo-chen.

AnalysisAI

SQL injection in NocoDB's bulk groupBy endpoint allows authenticated users holding column-create or column-rename permissions to read arbitrary data from the connected database by crafting a malicious column title. Affected versions are all NocoDB npm releases up to and including 2026.05.0; a vendor-released patch is available in 2026.05.1. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low complexity of exploitation once authenticated and the direct database read impact make prompt patching a priority for any internet-exposed NocoDB deployment.

Technical ContextAI

NocoDB is an open-source no-code database platform distributed as an npm package (pkg:npm/nocodb). The affected code paths are in group-by.ts, which constructs database-specific Knex ORM aggregation queries using knex.raw() - a low-level escape hatch that bypasses Knex's built-in parameterization when user-controlled strings are interpolated directly into the SQL template. The root bypass lives in data-table.service.ts: column resolution matches on both the sanitized column_name field and the free-text title field. Because the bulk groupBy endpoint maintains a column allowlist keyed on column_name, an attacker who sets a column's title to a SQL fragment causes the lookup to resolve the column via the unsanitized title path, delivering the fragment directly into the raw SQL string. This is a textbook CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) defect, specifically a second-order injection variant where the malicious payload is stored in the column title before being consumed by the query builder.

RemediationAI

Upgrade NocoDB to version 2026.05.1 or later; this is the vendor-confirmed fix version per the GitHub release at https://github.com/nocodb/nocodb/releases/tag/2026.05.1 and the security advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-p8wx-5f39-w3x4. For deployments where immediate upgrade is not feasible, restrict column-create and column-rename permissions to only the smallest set of highly trusted accounts - this directly eliminates the attacker's ability to set a malicious column title and is the most effective compensating control. Note that this restriction may impact collaborative workflows where multiple users manage table schema. As an additional layer, limit network access to NocoDB's API to internal networks or authenticated VPN users, reducing the exposure window for any compromised collaborator account. There is no indication that disabling a specific feature flag or endpoint is possible as a workaround without modifying application code.

Share

EUVD-2026-38616 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy