GHSA-P8WX-5F39-W3X4

Vulnerability from github – Published: 2026-06-05 16:19 – Updated: 2026-06-05 16:19
VLAI
Summary
NocoDB: SQL Injection via Column Title in Bulk GroupBy
Details

Summary

An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.

Details

The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped.

Impact

SQL injection against the connected database with read access to any expression an attacker can place in a column title. Exploitation requires an authenticated session with permission to create or rename columns.

Credit

This issue was reported by @geo-chen.

Severity
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.05.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.05.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T16:19:59Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn authenticated user with column-create permission can inject SQL into the bulk groupBy\nendpoint by setting a column\u0027s title to a SQL fragment.\n\n### Details\nThe bulk groupBy path in `group-by.ts` builds three database-specific `knex.raw()`\naggregations that interpolate the request\u0027s `column_name` directly into the SQL string.\nColumn lookup in `data-table.service.ts` matches on both the sanitized `column_name`\nfield and the free-text `title`, so a title containing a SQL fragment bypasses the\npublic endpoint\u0027s existing column allowlist and reaches the query builder unescaped.\n\n### Impact\nSQL injection against the connected database with read access to any expression an\nattacker can place in a column title. Exploitation requires an authenticated session\nwith permission to create or rename columns.\n\n### Credit\nThis issue was reported by [@geo-chen](https://github.com/geo-chen).",
  "id": "GHSA-p8wx-5f39-w3x4",
  "modified": "2026-06-05T16:19:59Z",
  "published": "2026-06-05T16:19:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-p8wx-5f39-w3x4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/2026.05.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB: SQL Injection via Column Title in Bulk GroupBy"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.