Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.
Published: 2026-05-07
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw allows an attacker who holds collection‑management privileges to create a benign SQL collection and then modify it with arbitrary SQL that bypasses the platform’s validation routine. Because the checkSQL() verification is omitted on the sqlCollection:update endpoint, the injected SQL can be executed when the collection is queried, giving the attacker direct access to sensitive data. The consequence is a full data breach with potential compromise of confidentiality, integrity, and availability of the underlying database.

Affected Systems

The vulnerability affects the NocoBase platform, as distributed under the vendor nodename nocobase. Any installation running a version prior to 2.0.39 is susceptible; the fix is available in release 2.0.39. Users of earlier versions should identify whether the platform is deployed and whether their administrators have the ability to create or update SQL collections.

Risk and Exploitability

The CVSS score of 7.2 classifies this issue as high severity. Exploitability depends on the attacker’s possession of collection‑management rights, which typically require authentication and administrative trust. While EPSS data is unavailable, there is no evidence of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the absence of input validation on the update endpoint removes a critical security boundary, making the attack path straightforward for authorized users with malicious intent.

Generated by OpenCVE AI on May 7, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoBase to version 2.0.39 or later to restore SQL validation on the update endpoint.
  • Limit collection‑management permissions to a minimal set of trusted administrators to reduce the risk of malicious SQL injection.
  • Audit existing SQL collections for unexpected updates and enforce logging or alerts for changes made through sqlCollection:update.

Generated by OpenCVE AI on May 7, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wrwh-c28m-9jjh @nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call
History

Thu, 07 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Nocobase
Nocobase nocobase
Vendors & Products Nocobase
Nocobase nocobase

Thu, 07 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.
Title NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call
Weaknesses CWE-284
CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nocobase Nocobase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:14:23.539Z

Reserved: 2026-04-21T23:58:43.801Z

Link: CVE-2026-41641

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T06:16:05.073

Modified: 2026-05-07T06:16:05.073

Link: CVE-2026-41641

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:30:06Z

Weaknesses