CVE-2026-34825
SQL Injection in NocoBase Workflow SQL Plugin Allows Data Manipulation
Publication date: 2026-04-02
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocobase | nocobase | to 2.0.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to perform arbitrary SQL injection, potentially leading to unauthorized access, modification, or deletion of sensitive data stored in the database.
Such unauthorized access and data manipulation can result in breaches of data confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Specifically, exposure or alteration of personal or protected health information due to this vulnerability could lead to non-compliance with these regulations, resulting in legal and financial consequences.
The vulnerability's severity is heightened by the fact that the default deployment runs with superuser database privileges, increasing the risk of extensive data compromise.
Can you explain this vulnerability to me?
CVE-2026-34825 is a high-severity SQL injection vulnerability in the NocoBase plugin-workflow-sql component. The vulnerability occurs because the plugin substitutes template variables directly into raw SQL strings without parameterization or escaping, using the getParsedValue() method. This allows an attacker who can trigger a workflow containing a SQL node with user-controlled template variables to inject arbitrary SQL commands.
For example, if a SQL node uses a template like SELECT * FROM users WHERE nickname = '{{$context.data.nickname}}', an attacker can supply a crafted nickname value that breaks out of the string and injects additional SQL statements, such as UNION SELECT queries, to retrieve sensitive data like database version and current user.
The root cause is the lack of parameter binding or escaping when constructing and executing SQL queries, which leads to unsafe direct string substitution of user input into SQL commands.
This issue has been patched in version 2.0.30 by replacing direct string substitution with parameterized queries using Sequelize bind parameters, ensuring user input is safely handled.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to perform arbitrary SQL injection attacks on the database used by NocoBase workflows.
- Full database read access, enabling extraction of sensitive information such as credentials, user data, and database metadata.
- Full database write access, allowing modification or deletion of records, which can corrupt or destroy data.
- Execution of destructive commands like dropping tables, potentially causing data loss.
The impact is heightened because the default Docker deployment runs with superuser database privileges, increasing the potential damage an attacker can cause.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your NocoBase installation uses the vulnerable @nocobase/plugin-workflow-sql plugin version 2.0.8 or earlier, which substitutes template variables directly into raw SQL strings without parameterization.
Specifically, detection involves checking for workflows containing SQL nodes that use the getParsedValue() method for SQL string construction without parameter binding.
You can also look for the presence of the unsafeInjection flag set to true in SQL nodes, which indicates usage of the unsafe legacy injection mode.
While no explicit network commands are provided in the resources, you can audit your system by:
- Checking the version of the @nocobase/plugin-workflow-sql package installed (e.g., via npm list or package.json).
- Reviewing workflow SQL nodes for raw SQL strings containing template variables like {{$context.data.fieldName}}.
- Searching code or configuration files for usage of getParsedValue() without parameterization.
- Inspecting workflow node configurations for the unsafeInjection flag or warnings about unsafe injection mode.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade to NocoBase version 2.0.30 or later, where the vulnerability has been patched.
This update replaces unsafe direct string substitution with parameterized queries using Sequelize bind parameters, preventing SQL injection.
If upgrading immediately is not possible, you should:
- Avoid using workflows with SQL nodes that directly substitute user input into SQL strings.
- Enable and use the safe injection mode by migrating any SQL nodes from unsafeInjection mode to safe mode using the provided UI migration tools.
- Review and refactor SQL nodes to use parameterized queries with explicit variable bindings instead of raw string substitution.
- Limit database privileges for the NocoBase service user to reduce impact if exploitation occurs.