SQL Injection Vulnerability in NocoBase AI-Powered Platform
CVE-2026-34825

8.5HIGH

Key Information:

Vendor

Nocobase

Status
Nocobase
Vendor
CVE Published:
2 April 2026

What is CVE-2026-34825?

NocoBase, an AI-powered no-code/low-code platform for building business applications, contains a vulnerability in its Plugin-Workflow-SQL component. Prior to version 2.0.30, the platform allowed the substitution of template variables directly into raw SQL strings without proper parameterization or escaping. This flaw enables users to execute arbitrary SQL commands if they manage to trigger a workflow that incorporates user-controlled data within SQL nodes. A patch has been released in version 2.0.30 to mitigate this vulnerability.

Affected Version(s)

nocobase < 2.0.30

References

https://github.com/nocobase/nocobase/security/advisories/...
x_refsource_CONFIRM
https://github.com/nocobase/nocobase/commit/75da3dddc4aba...
x_refsource_MISC
https://github.com/nocobase/nocobase/releases/tag/v2.0.30
x_refsource_MISC

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.