CVE-2026-41641
Analyzed Analyzed - Analysis Complete
SQL Injection Bypass in NocoBase Collections

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-19
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41641
EUVD
EUVD-2026-28318
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocobase nocobase to 2.0.39 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41641 is a SQL injection and validation bypass vulnerability in the NocoBase platform, specifically affecting versions prior to 2.0.39. The vulnerability exists because the checkSQL() validation function, which blocks dangerous SQL keywords like pg_read_file, LOAD_FILE, and dblink, is missing on the sqlCollection:update endpoint. This allows an attacker with collection management permissions to create a SQL collection with safe SQL, then update it with malicious SQL that bypasses validation, enabling arbitrary SQL execution and data exfiltration.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of arbitrary SQL commands, which can lead to data exfiltration, privilege escalation, and unauthorized file system access on the database server. It compromises the confidentiality, integrity, and availability of the affected system.

Detection Guidance

This vulnerability involves the ability to update a SQL collection with malicious SQL that bypasses validation on the sqlCollection:update endpoint. Detection would involve monitoring for unusual or unauthorized SQL update requests to this endpoint, especially those containing dangerous SQL keywords such as pg_read_file, LOAD_FILE, or dblink.

Since the vulnerability requires collection management permissions, reviewing logs for update actions on SQL collections and checking for SQL statements that include suspicious keywords or patterns can help detect exploitation attempts.

  • Inspect application logs or API request logs for calls to the sqlCollection:update endpoint with SQL containing keywords like pg_read_file, LOAD_FILE, or dblink.
  • Use database query logs to identify unexpected or unauthorized SQL commands executed via the application.
  • Example command to search logs for suspicious SQL keywords (assuming logs are in a file named app.log): grep -iE 'pg_read_file|LOAD_FILE|dblink' app.log
  • If using a network monitoring tool, filter HTTP requests to the sqlCollection:update endpoint and analyze payloads for dangerous SQL keywords.
Mitigation Strategies

The primary mitigation is to upgrade NocoBase to version 2.0.39 or later, where the vulnerability has been patched by adding the missing checkSQL() validation on the sqlCollection:update endpoint.

Until the upgrade can be applied, restrict collection management permissions to trusted users only, as the vulnerability requires such privileges to exploit.

Additionally, monitor and audit SQL collection update requests for suspicious activity and consider implementing network or application-level controls to block SQL containing dangerous keywords.

Review and enhance SQL validation mechanisms if possible, moving towards a parser-based allowlist approach rather than relying solely on keyword blocking.

Compliance Impact

The vulnerability allows an attacker with collection management permissions to execute arbitrary SQL commands, leading to data exfiltration and potential unauthorized access to sensitive information.

Such unauthorized data access and exfiltration can result in violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal and sensitive data.

Because the vulnerability impacts confidentiality, integrity, and availability of data, organizations using affected versions of NocoBase may face compliance risks if the vulnerability is exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart