GHSA-VX58-FWWQ-5G8J

Vulnerability from github – Published: 2026-04-01 23:44 – Updated: 2026-04-10 17:32
VLAI?
Summary
NocoBase Has SQL Injection via template variable substitution in workflow SQL node
Details

Summary

NocoBase <= 2.0.8 plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL.

Affected Versions

  • Affected: all versions through 2.0.8

Details

The SQLInstruction in packages/plugins/@nocobase/plugin-workflow-sql/src/server/SQLInstruction.ts line 28 processes SQL templates:

// SQLInstruction.ts:28
const sql = processor.getParsedValue(node.config.sql || '', node.id).trim();

Then executes the resulting string directly:

// SQLInstruction.ts:35
const [result] = await collectionManager.db.sequelize.query(sql, {
  transaction: this.workflow.useDataSourceTransaction(dataSourceName, processor.transaction),
});

getParsedValue() performs simple string substitution of {{$context.data.fieldName}} placeholders with values from the workflow trigger data. No escaping, quoting, or parameterized binding is applied.

When an admin creates a SQL node with a template like:

SELECT * FROM users WHERE nickname = '{{$context.data.nickname}}'

Any user who triggers the workflow with a crafted value can break out of the string literal and inject arbitrary SQL.

Proof of Concept

  1. Login as admin
  2. Create a collection-trigger workflow on the users table (mode: after create)
  3. Add a SQL node with:
SELECT id, nickname, email FROM users WHERE nickname = '{{$context.data.nickname}}'
  1. Enable the workflow
  2. Create a user with nickname set to: ' UNION SELECT 1,version(),current_user --
  3. Check execution result:
[
  {
    "id": 1,
    "nickname": "PostgreSQL 16.13 (Debian 16.13-1.pgdg13+1) on x86_64-pc-linux-gnu...",
    "email": "nocobase"
  }
]

The injected UNION SELECT returned the database version and current database user.

Impact

Full database read/write access through SQL injection. An attacker who can trigger a workflow with a SQL node containing template variables from user-controlled data can extract credentials, modify records, or drop tables. The severity depends on the database user's privileges (full superuser access in the default Docker deployment).

Suggested Fix

Use parameterized queries. Replace direct string substitution with Sequelize bind parameters:

// SQLInstruction.ts
- const sql = processor.getParsedValue(node.config.sql || '', node.id).trim();
+ const { sql, bind } = processor.getParsedValueAsParams(node.config.sql || '', node.id);
  const [result] = await collectionManager.db.sequelize.query(sql, {
+   bind,
    transaction: ...
  });
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
8.5 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.29"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nocobase/plugin-workflow-sql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:44:37Z",
    "nvd_published_at": "2026-04-02T20:16:26Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nNocoBase \u003c= 2.0.8 `plugin-workflow-sql` substitutes template variables directly into raw SQL strings via `getParsedValue()` without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL.\n\n## Affected Versions\n\n- Affected: all versions through 2.0.8\n\n## Details\n\nThe `SQLInstruction` in `packages/plugins/@nocobase/plugin-workflow-sql/src/server/SQLInstruction.ts` line 28 processes SQL templates:\n\n```typescript\n// SQLInstruction.ts:28\nconst sql = processor.getParsedValue(node.config.sql || \u0027\u0027, node.id).trim();\n```\n\nThen executes the resulting string directly:\n\n```typescript\n// SQLInstruction.ts:35\nconst [result] = await collectionManager.db.sequelize.query(sql, {\n  transaction: this.workflow.useDataSourceTransaction(dataSourceName, processor.transaction),\n});\n```\n\n`getParsedValue()` performs simple string substitution of `{{$context.data.fieldName}}` placeholders with values from the workflow trigger data. No escaping, quoting, or parameterized binding is applied.\n\nWhen an admin creates a SQL node with a template like:\n```sql\nSELECT * FROM users WHERE nickname = \u0027{{$context.data.nickname}}\u0027\n```\n\nAny user who triggers the workflow with a crafted value can break out of the string literal and inject arbitrary SQL.\n\n## Proof of Concept\n\n1. Login as admin\n2. Create a collection-trigger workflow on the `users` table (mode: after create)\n3. Add a SQL node with:\n```sql\nSELECT id, nickname, email FROM users WHERE nickname = \u0027{{$context.data.nickname}}\u0027\n```\n4. Enable the workflow\n5. Create a user with nickname set to: `\u0027 UNION SELECT 1,version(),current_user --`\n6. Check execution result:\n\n```json\n[\n  {\n    \"id\": 1,\n    \"nickname\": \"PostgreSQL 16.13 (Debian 16.13-1.pgdg13+1) on x86_64-pc-linux-gnu...\",\n    \"email\": \"nocobase\"\n  }\n]\n```\n\nThe injected UNION SELECT returned the database version and current database user.\n\n## Impact\n\nFull database read/write access through SQL injection. An attacker who can trigger a workflow with a SQL node containing template variables from user-controlled data can extract credentials, modify records, or drop tables. The severity depends on the database user\u0027s privileges (full superuser access in the default Docker deployment).\n\n## Suggested Fix\n\nUse parameterized queries. Replace direct string substitution with Sequelize bind parameters:\n\n```diff\n// SQLInstruction.ts\n- const sql = processor.getParsedValue(node.config.sql || \u0027\u0027, node.id).trim();\n+ const { sql, bind } = processor.getParsedValueAsParams(node.config.sql || \u0027\u0027, node.id);\n  const [result] = await collectionManager.db.sequelize.query(sql, {\n+   bind,\n    transaction: ...\n  });\n```",
  "id": "GHSA-vx58-fwwq-5g8j",
  "modified": "2026-04-10T17:32:48Z",
  "published": "2026-04-01T23:44:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34825"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocobase/nocobase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoBase Has SQL Injection via template variable substitution in workflow SQL node"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.