CVE Catalog

CVE-2026-47384

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile - higher than 22% of all known CVEs

Summary

NocoDB prior to version 2026.05.1 allows authenticated users with column-create permission to inject SQL into the bulk groupBy endpoint. This can be achieved by setting a column's title to a SQL fragment, bypassing the existing column allowlist.

Risk Assessment

The organization may be exposed to SQL injection attacks, potentially leading to unauthorized access or modification of data. Exploitation of this vulnerability could have serious implications for data security.

Recommendation

It is recommended to upgrade NocoDB to version 2026.05.1 or later to mitigate this vulnerability. Additionally, conducting a user permission audit and monitoring logs for potential exploitation attempts is advisable.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS