CVE-2026-28399
SQL Injection in NocoDB DATEADD Formula Allows Data Manipulation
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28399 is a moderate severity SQL injection vulnerability in the npm package nocodb, affecting versions up to 0.301.2 and fixed in version 0.301.3.'}, {'type': 'paragraph', 'content': "The vulnerability arises from the DATEADD formula's unit parameter, which is directly inserted into SQL queries without proper sanitization. Specifically, the validation only checked for Literal AST node types, allowing non-Literal types to bypass validation."}, {'type': 'paragraph', 'content': 'This flaw affects MySQL, PostgreSQL, and SQLite function mappings and allows an authenticated user with the Creator role to inject arbitrary SQL commands.'}, {'type': 'paragraph', 'content': 'The root cause is improper neutralization of special SQL elements (CWE-89), where user inputs are not sufficiently sanitized or quoted, causing them to be executed as SQL rather than treated as data.'}] [1]
How can this vulnerability impact me? :
An attacker with an authenticated Creator role can exploit this vulnerability to inject arbitrary SQL commands into the database.
This can lead to unauthorized data exfiltration or modification within the connected database, potentially compromising the confidentiality and integrity of your data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves SQL injection via the DATEADD formula's unit parameter in NocoDB versions prior to 0.301.3, exploitable by authenticated users with the Creator role."}, {'type': 'paragraph', 'content': "Detection would involve monitoring for unusual or unauthorized SQL queries that include manipulation of the DATEADD formula's unit parameter, especially those that bypass normal literal validation."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authentication and specific role privileges, commands to detect exploitation attempts could include reviewing application logs for suspicious formula inputs or SQL queries.'}, {'type': 'list_item', 'content': 'Check NocoDB logs or database query logs for unusual DATEADD formula usage or unexpected SQL commands.'}, {'type': 'list_item', 'content': 'Use SQL query auditing tools on MySQL, PostgreSQL, or SQLite to identify queries with unexpected parameters or injection patterns.'}, {'type': 'list_item', 'content': 'Run commands to search logs for suspicious DATEADD usage, for example (on Linux):'}, {'type': 'list_item', 'content': "grep -i 'DATEADD' /path/to/nocodb/logs/*"}, {'type': 'list_item', 'content': 'grep -E "DATEADD.*[^"]" /path/to/database/query/logs/*'}, {'type': 'paragraph', 'content': 'However, no specific detection commands are provided in the available information.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade NocoDB to version 0.301.3 or later, where this SQL injection vulnerability has been patched.
Additionally, restrict the Creator role privileges to trusted users only, as exploitation requires authenticated access with this role.
Monitor and audit database queries and application logs for suspicious activity related to the DATEADD formula.
If upgrading immediately is not possible, consider temporarily limiting access to the affected functionality or disabling formula inputs that use DATEADD until a patch can be applied.