CVE-2026-47384
Deferred Deferred - Pending Action

SQL Injection in NocoDB Prior to 2026.05.1

Vulnerability report for CVE-2026-47384, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-14
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb 2026.05.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This SQL injection vulnerability in NocoDB allows an authenticated user with column-create permissions to execute unauthorized SQL queries, potentially leading to unauthorized access to sensitive data stored in the database.

Such unauthorized data access could result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, if exploited, this vulnerability could compromise compliance by exposing protected data or enabling unauthorized data manipulation.

Executive Summary

This vulnerability exists in NocoDB software versions prior to 2026.05.1. An authenticated user who has permission to create columns can exploit the bulk groupBy endpoint by injecting SQL code through a column's title. The system builds SQL queries by directly inserting the column name into the query string without proper escaping, and because the column title is used in the lookup process, a malicious SQL fragment in the title bypasses the allowlist protections and reaches the query builder unescaped. This can lead to unintended SQL execution.

Impact Analysis

This vulnerability allows an authenticated user with limited permissions to perform SQL injection attacks via the bulk groupBy endpoint. This could lead to unauthorized data access, data manipulation, or other unintended database operations, potentially compromising the integrity and confidentiality of the database.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.05.1 or later, where the issue has been fixed.

Detection Guidance

This vulnerability can be detected by checking if your NocoDB instance is running a version prior to 2026.05.1 and if authenticated users with column-create permissions can set a column's title to a SQL fragment that is then executed in the bulk groupBy endpoint.

To detect potential exploitation attempts or presence of this vulnerability, you can monitor logs for unusual SQL fragments in requests to the bulk groupBy endpoint, especially those involving column title changes.

Since exploitation requires authenticated access with column-create permissions, verifying user permissions and auditing recent column creation or renaming activities can help identify suspicious behavior.

Specific commands depend on your environment, but example approaches include:

  • Review web server or application logs for POST requests to the bulk groupBy endpoint containing suspicious SQL fragments in the column title field.
  • Use database query logs to detect unusual raw SQL queries that include injected fragments from column titles.
  • Run a version check command or query to confirm the NocoDB version, for example by accessing the application info or querying the version endpoint if available.
  • Audit user permissions to identify users with column-create rights who might exploit this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47384. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart