Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.
Published: 2026-03-02
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in the DATEADD formula’s unit parameter allows an authenticated user with the Creator role to inject arbitrary SQL. The injection can be used to read, alter, or delete data stored in the NocoDB database, potentially exposing confidential information or corrupting records. The vulnerability is a classic SQL injection (CWE‑89) that does not directly cause system compromise but enables a user with sufficient privileges to tamper with data integrity. Affected systems include the NocoDB application from the nocodb vendor. Versions prior to 0.301.3 are vulnerable; version 0.301.3 and newer contain the fix.

Affected Systems

NocoDB application by nocodb; all releases before version 0.301.3 are vulnerable, while version 0.301.3 and later contain the fix.

Risk and Exploitability

The flaw carries a medium CVSS score of 6.2 and an EPSS score below 1%, indicating a low probability of exploitation. It is not listed in the KEV catalog. Attackers must authenticate and possess the Creator role to leverage the vulnerability. With compromised credentials, the attacker can execute arbitrary SQL through the DATEADD formula, enabling reading, modifying, or deleting data, thereby breaching confidentiality and integrity of the database. Because the attack surface is limited to legitimate accounts, the overall threat remains moderate but warrants timely patching to prevent data compromise.

Generated by OpenCVE AI on April 17, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 0.301.3 or later
  • If upgrading is not immediately possible, remove or restrict the Creator role from users who do not need it and disable the DATEADD formula feature if accessible
  • Monitor database logs for unusual query patterns and ensure all user inputs are properly sanitized

Generated by OpenCVE AI on April 17, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-45rp-9p97-h852 NocoDB Vulnerable to SQL Injection via DATEADD Formula
History

Tue, 03 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
CPEs cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*
Vendors & Products Nocodb
Nocodb nocodb
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.
Title NocoDB: SQL Injection via DATEADD Formula
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T15:53:53.938Z

Reserved: 2026-02-27T15:33:57.288Z

Link: CVE-2026-28399

cve-icon Vulnrichment

Updated: 2026-03-03T15:53:49.527Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:35.073

Modified: 2026-03-03T19:02:04.290

Link: CVE-2026-28399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses