CVE-2026-47375 - Vulnerability Details

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.

Published: 2026-06-23

Score: 6 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a SQL injection flaw in NocoDB’s formula engine. An authenticated user with columnAdd permission on a Postgres‑backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). Because the value is not validated and is directly embedded into a knex.raw ORDER BY clause, the injected SQL runs during column creation and subsequent reads of the formula column, allowing the attacker to execute arbitrary queries and potentially expose or modify sensitive data. The flaw is fixed in NocoDB 2026.04.1.

Affected Systems

NocoDB applications running a version earlier than 2026.04.1 on a Postgres data store are affected. The flaw is linked to the Postgres mapping for ARRAYSORT in the functionMappings/pg.ts file. Users of the 2026.04.1 release or later are not vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 6, indicating a moderate severity. The EPSS score is not available, so the current exploitation likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The attacker must be authenticated with columnAdd permissions and have a Postgres‑backed database; the attack can be carried out during column definition or by inducing reads of the formula column, making exploitation practical in environments where users are granted this permission.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nocodb

affected

Version	Status	Constraints
`< 2026.04.1`	affected	—

No data.

Vendor Product Confidence Versions

Nocodb

100%

Version	Status	Scheme	Platform
`[0,2026.04.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update NocoDB to version 2026.04.1 or later. This closes the SQL injection path.
Restrict the columnAdd permission to trusted users or remove it for roles that do not need to create new columns. This limits the group that can trigger the injection.
Audit existing formula columns for the ARRAYSORT usage and review logs for signs of unexpected SQL execution. This helps detect any previous exploitation attempts.

Generated by OpenCVE AI on June 24, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-cxv7-gmmp-228p	NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/nocodb/nocodb/security/advisories/GHSA-cxv7-gmmp-228p

History

Wed, 24 Jun 2026 01:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nocodb Nocodb nocodb
Vendors & Products		Nocodb Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.
Title		NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
Weaknesses		CWE-89
References		https://github.com/nocodb/nocodb/security/advisories/GHSA-cxv7-gmmp-228p
Metrics		cvssV3_1 `{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H'}`

Subscriptions

Nocodb Nocodb

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-23T20:36:26.870Z

Updated: 2026-06-23T20:36:26.870Z

Reserved: 2026-05-19T19:22:45.727Z

Link: CVE-2026-47375

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object