CVE-2026-41641

Exploit

EPSS 1.83%
Veröffentlicht 07.05.2026 04:13:33
Zuletzt bearbeitet 07.05.2026 20:23:22
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nocobase ≫ Nocobase Version < 2.0.39

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.83%	0.761

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://github.com/nocobase/nocobase/releases/tag/v2.0.39

Patch

Product

https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh

Vendor Advisory

Exploit

Mitigation

https://github.com/nocobase/nocobase/pull/9134

Patch

Issue Tracking

https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-41641

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-41641

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-41641

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-41641