CVE-2026-41641
SQL Injection Bypass in NocoBase Collections
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocobase | nocobase | to 2.0.39 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41641 is a SQL injection and validation bypass vulnerability in the NocoBase platform, specifically affecting versions prior to 2.0.39. The vulnerability exists because the checkSQL() validation function, which blocks dangerous SQL keywords like pg_read_file, LOAD_FILE, and dblink, is missing on the sqlCollection:update endpoint. This allows an attacker with collection management permissions to create a SQL collection with safe SQL, then update it with malicious SQL that bypasses validation, enabling arbitrary SQL execution and data exfiltration.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary SQL commands, which can lead to data exfiltration, privilege escalation, and unauthorized file system access on the database server. It compromises the confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the ability to update a SQL collection with malicious SQL that bypasses validation on the sqlCollection:update endpoint. Detection would involve monitoring for unusual or unauthorized SQL update requests to this endpoint, especially those containing dangerous SQL keywords such as pg_read_file, LOAD_FILE, or dblink.
Since the vulnerability requires collection management permissions, reviewing logs for update actions on SQL collections and checking for SQL statements that include suspicious keywords or patterns can help detect exploitation attempts.
- Inspect application logs or API request logs for calls to the sqlCollection:update endpoint with SQL containing keywords like pg_read_file, LOAD_FILE, or dblink.
- Use database query logs to identify unexpected or unauthorized SQL commands executed via the application.
- Example command to search logs for suspicious SQL keywords (assuming logs are in a file named app.log): grep -iE 'pg_read_file|LOAD_FILE|dblink' app.log
- If using a network monitoring tool, filter HTTP requests to the sqlCollection:update endpoint and analyze payloads for dangerous SQL keywords.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade NocoBase to version 2.0.39 or later, where the vulnerability has been patched by adding the missing checkSQL() validation on the sqlCollection:update endpoint.
Until the upgrade can be applied, restrict collection management permissions to trusted users only, as the vulnerability requires such privileges to exploit.
Additionally, monitor and audit SQL collection update requests for suspicious activity and consider implementing network or application-level controls to block SQL containing dangerous keywords.
Review and enhance SQL validation mechanisms if possible, moving towards a parser-based allowlist approach rather than relying solely on keyword blocking.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with collection management permissions to execute arbitrary SQL commands, leading to data exfiltration and potential unauthorized access to sensitive information.
Such unauthorized data access and exfiltration can result in violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal and sensitive data.
Because the vulnerability impacts confidentiality, integrity, and availability of data, organizations using affected versions of NocoBase may face compliance risks if the vulnerability is exploited.