CVE-2026-47375

Received Received - Intake

SQL Injection in NocoDB via ARRAYSORT Formula

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-23

Last Modified

2026-06-23

Generated

2026-06-24

AI Q&A

2026-06-24

EPSS Evaluated

N/A

NVD

CVE-2026-47375

Affected Vendors & Products

Vendor	Product	Version / Range
nocodb	nocodb	to 2026.04.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability exists in NocoDB software versions prior to 2026.04.1. It allows an authenticated user who has the columnAdd permission on a Postgres-backed base to inject arbitrary SQL code into the formula engine. This is done through the optional direction argument of the ARRAYSORT(...) function. The input for this argument is not properly validated by the formula engine, and the injected SQL is embedded into a knex.raw ORDER BY clause. This SQL injection occurs during the creation of a column and every time a record is read from the formula column.

The vulnerability specifically affects the Postgres mapping for ARRAYSORT in the file packages/nocodb/src/db/functionMappings/pg.ts and has been fixed in version 2026.04.1.

Impact Analysis

This vulnerability can lead to unauthorized execution of arbitrary SQL commands within the database. Since the injected SQL is executed during column creation and record reads, an attacker with the required permissions could manipulate or corrupt data, escalate privileges, or cause denial of service by impacting database availability.

The CVSS score of 6.0 indicates a medium severity impact with low attack complexity but requiring high privileges. The impact includes low confidentiality and integrity loss, and high availability impact.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.04.1 or later, where the issue has been fixed.

Hi! I’m here to help you understand CVE-2026-47375. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-47375

SQL Injection in NocoDB via ARRAYSORT Formula

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart