Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to 2026.05.1, an authenticated user possessing column‑create rights in NocoDB can set a column title to a SQL fragment and target the bulk groupBy endpoint. The endpoint builds three database‑specific knex.raw() aggregations that interpolate the requested column_name directly into the SQL string. Because the data‑table lookup matches both the sanitized column_name and the free‑text title, a title containing a SQL fragment bypasses the public endpoint's allowlist and reaches the query builder unescaped. This allows arbitrary SQL injection that can read, modify, or delete data in the underlying database.

Affected Systems

The vulnerability affects NocoDB versions released prior to 2026.05.1, which includes all older 2026.04 releases and earlier. Any deployment of these versions is vulnerable if users are granted column‑create rights.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available, implying limited public exploitation evidence. The vulnerability is not listed in CISA KEV. Exploitation requires authenticated access to the bulk groupBy API, which is available to users with column‑create permission, meaning the risk depends on the presence of such privileged users and the exposure of the API endpoint.

Generated by OpenCVE AI on June 24, 2026 at 10:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.05.1 where the injection path has been closed.
  • Restrict column‑create permissions to trusted or necessary users so that only a minimal set of accounts can create new columns.
  • Implement server‑side validation or sanitization of column titles to prevent unescaped SQL fragments, addressing the underlying CWE‑89 issue.

Generated by OpenCVE AI on June 24, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p8wx-5f39-w3x4 NocoDB: SQL Injection via Column Title in Bulk GroupBy
History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1.
Title NocoDB: SQL Injection via Column Title in Bulk GroupBy
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T12:37:13.126Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47384

cve-icon Vulnrichment

Updated: 2026-06-24T12:37:02.891Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:15:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')