Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB is software for building databases as spreadsheets. The vulnerability is a SQL injection flaw in NocoDB’s formula engine. An authenticated user with columnAdd permission on a Postgres‑backed base can inject arbitrary SQL via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation, is embedded into a knex.raw ORDER BY read of the formula column. This can allow the attacker to execute arbitrary queries and potentially expose or modify sensitive data. The flaw is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts, and it has been fixed in NocoDB 2026.04.1.

Affected Systems

NocoDB applications running a version earlier than 2026.04.1 on a Postgres data store are affected. The flaw is linked to the Postgres mapping for ARRAYSORT in the functionMappings/pg.ts file. Users of the 2026.04.1 release or later are not vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 6, indicating a moderate severity. The EPSS score is not available, so the current exploitation likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The attacker must be authenticated with columnAdd permissions and have a Postgres‑backed database; the attack can be carried out during column definition or by inducing reads of the formula column, making exploitation practical in environments where users are granted this permission.

Generated by OpenCVE AI on June 24, 2026 at 09:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NocoDB to version 2026.04.1 or later. This closes the SQL injection path.
  • Restrict the columnAdd permission to trusted users or remove it for roles that do not need to create new columns. This limits the group that can trigger the injection.
  • Audit existing formula columns for the ARRAYSORT usage and review logs for signs of unexpected SQL execution. This helps detect any previous exploitation attempts.

Generated by OpenCVE AI on June 24, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cxv7-gmmp-228p NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T19:33:25.567Z

Reserved: 2026-05-19T19:22:45.727Z

Link: CVE-2026-47375

cve-icon Vulnrichment

Updated: 2026-06-24T19:32:48.492Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')