CVE-2026-41640
SQL Injection in NocoBase Prior to 2.0.39
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocobase | nocobase | to 2.0.39 (exc) |
| nocobase | database | to 2.0.32 (inc) |
| nocobase | plugin_field_sort | to 2.0.32 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41640 is a SQL Injection vulnerability in the NocoBase platform affecting versions 2.0.32 and earlier. The issue arises in the queryParentSQL() function of the core database package, which constructs recursive Common Table Expression (CTE) queries by concatenating strings instead of using parameterized queries. This allows an attacker who can create a record with a malicious string primary key to inject arbitrary SQL code. When recursive eager loading is triggered on that collection, the injected SQL executes, potentially compromising the database.
The vulnerability specifically affects tree collections with string-type primary keys, where an attacker with record creation permissions can craft a malicious primary key to exploit this flaw. The problem also exists in the plugin-field-sort component due to similar unsafe query construction.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized SQL code execution within the NocoBase database. An attacker exploiting this flaw can perform unauthorized data access, modification, or deletion by injecting malicious SQL commands.
- Unauthorized access to sensitive data.
- Modification or deletion of database records.
- Potential disruption of application functionality due to corrupted or manipulated data.
The vulnerability has a high severity score (CVSS 7.5), indicating significant impact if exploited.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a SQL Injection issue occurring when recursive eager loading is triggered on tree collections with string-type primary keys that can be manipulated by an attacker. Detection involves monitoring for unusual or unauthorized SQL queries that include unexpected string concatenations or suspicious primary key values.
Since the vulnerability arises from the `queryParentSQL()` function constructing SQL queries via string concatenation, you can detect exploitation attempts by logging and analyzing database queries for injected SQL patterns or malformed primary key values.
Specific commands to detect this vulnerability are not provided in the resources. However, general approaches include enabling detailed SQL query logging on your database server and searching logs for recursive CTE queries with suspicious concatenated strings or unexpected input patterns.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade NocoBase to version 2.0.39 or later, where this vulnerability has been patched by replacing string concatenation with parameterized queries in the `queryParentSQL()` function and related components.
If upgrading immediately is not possible, restrict permissions to prevent untrusted users from creating records with malicious string primary keys in tree collections.
Additionally, validate or sanitize primary key values at record creation to reject or escape SQL metacharacters that could be used for injection.
Review and apply any security patches or updates related to the `@nocobase/database` package and the `plugin-field-sort` component, as both were affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-41640 vulnerability allows an attacker to perform SQL injection attacks, potentially leading to unauthorized access, modification, or deletion of data stored in the NocoBase platform.
Such unauthorized data access or manipulation can compromise the confidentiality, integrity, and availability of sensitive information, which may violate compliance requirements under common standards and regulations like GDPR and HIPAA.
Specifically, GDPR requires protection of personal data against unauthorized access and alteration, while HIPAA mandates safeguarding protected health information. This vulnerability could undermine these protections if exploited.
Therefore, organizations using vulnerable versions of NocoBase might face compliance risks until the issue is patched.