Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30.
Published: 2026-04-02
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Patch Immediately
AI Analysis

Impact

NocoBase, an AI‑powered no‑code platform, allows users to build workflows that execute SQL statements through a plugin. In versions before 2.0.30 the workflow SQL node concatenates template variables directly into raw SQL strings without input validation, escaping, or prepared statement usage. This defect enables any user who can supply values for template variables in a workflow trigger to inject arbitrary SQL. The injected code can read, modify, or delete records, potentially exposing sensitive business data, corrupting application state, or facilitating further attacks against the database.

Affected Systems

The vulnerability affects the NocoBase platform, specifically the plugin‑workflow‑sql component. All deployments running a version older than 2.0.30 are susceptible. The issue has been addressed in release 2.0.30, which replaces unsafe string concatenation with safe parameter handling.

Risk and Exploitability

The CVSS score of 8.5 classifies this as a high‑impact flaw, and the EPSS score of less than 1% indicates that exploitation is currently rare. The vulnerability has not been cataloged in CISA’s KEV list. The attack vector can be inferred to require a user who can trigger a workflow that contains template variables sourced from user‑controlled data; thus, an authenticated or privileged user with workflow creation rights could exploit it. Exploitation would allow unauthorized data access or manipulation via the target database.

Generated by OpenCVE AI on April 10, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current NocoBase version in use
  • Upgrade the platform to version 2.0.30 or later, which implements parameterized queries for the workflow SQL node
  • Validate that workflows no longer include unescaped template variables and test functionality after the upgrade

Generated by OpenCVE AI on April 10, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vx58-fwwq-5g8j NocoBase Has SQL Injection via template variable substitution in workflow SQL node
History

Fri, 10 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nocobase:nocobase:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Nocobase
Nocobase nocobase
Vendors & Products Nocobase
Nocobase nocobase

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30.
Title NocoBase Has SQL Injection via template variable substitution in workflow SQL node
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocobase Nocobase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T12:56:41.506Z

Reserved: 2026-03-30T20:52:53.283Z

Link: CVE-2026-34825

cve-icon Vulnrichment

Updated: 2026-04-03T12:56:29.178Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T20:16:26.247

Modified: 2026-04-10T15:16:03.123

Link: CVE-2026-34825

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:02Z

Weaknesses