NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL`...

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.

Basic Information

ID CVE-2026-41641

Source GitHub_M

Published May 7, 2026 at 04:13

Affected Product

Vendor nocobase

Product nocobase

Version < 2.0.39

Affected Versions nocobase nocobase < 2.0.39

CWE Classification

CWE-89 CWE-284

References

{
    "lastseen": "",
    "description": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.",
    "published": "2026-05-07T04:13:33.609Z",
    "modified": "2026-05-07T04:13:33.609Z",
    "type": "cve",
    "title": "NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call",
    "source": "GitHub_M",
    "references": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh\nhttps://github.com/nocobase/nocobase/pull/9134\nhttps://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91\nhttps://github.com/nocobase/nocobase/releases/tag/v2.0.39",
    "id": "CVE-2026-41641",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89",
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "nocobase nocobase < 2.0.39",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nocobase",
    "version": "< 2.0.39",
    "vendor": "nocobase",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call_CVE-2026-41641