Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.
Published: 2026-05-07
Score: 7.5 High
EPSS: 4.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoBase, an AI‑powered low‑code platform, contains a flaw where the queryParentSQL() function builds a recursive CTE query by concatenating nodeIds into a string rather than using parameterized inputs. An attacker who can create a record with a specially crafted string as its primary key can inject arbitrary SQL. When any later request triggers recursive eager loading on that collection, the malicious string becomes part of the executed query, allowing the attacker to run arbitrary commands under the database user. This vulnerability can compromise confidentiality, integrity, and availability of the database, potentially leading to data exfiltration, tampering, or denial of service.

Affected Systems

The flaw exists in all NocoBase releases prior to v2.0.39. Version 2.0.39 introduces parameterized queries for the recursive CTE, eliminating the injection path. All installations running v2.0.38 or earlier should verify their version and apply the patch as soon as possible.

Risk and Exploitability

The CVSS score of 7.5 classifies the vulnerability as high severity, and an EPSS score of 4% indicates a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves creating a record with a malicious primary key through any interface that permits record creation—such as REST APIs or web forms—a prerequisite that the attacker can then trigger the vulnerable recursive loading. Successful exploitation would give the attacker arbitrary SQL execution against the application database.

Generated by OpenCVE AI on May 7, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the NocoBase update to at least version 2.0.39, which replaces unsafe string concatenation with parameterized queries in queryParentSQL().
  • If a patch cannot be applied immediately, limit or disable write access to the primary key field and validate input to ensure it contains only numeric identifiers, mitigating the injection vector.
  • Monitor database logs or query monitoring tools for unexpected SQL statements that could signal an attempt to exploit the injection path.

Generated by OpenCVE AI on May 7, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4948-f92q-f432 @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading
History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Nocobase
Nocobase nocobase
Vendors & Products Nocobase
Nocobase nocobase

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.
Title NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nocobase Nocobase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T12:55:04.738Z

Reserved: 2026-04-21T23:58:43.801Z

Link: CVE-2026-41640

cve-icon Vulnrichment

Updated: 2026-05-07T12:54:58.504Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-07T04:16:28.277

Modified: 2026-05-07T15:08:14.623

Link: CVE-2026-41640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:30:06Z

Weaknesses