SQL Injection Vulnerability in NocoBase AI-Powered No-Code/Low-Code Platform
CVE-2026-41640

7.5HIGH

Key Information:

Vendor

Nocobase

Status
Nocobase
Vendor
CVE Published:
7 May 2026

What is CVE-2026-41640?

NocoBase, a no-code/low-code platform, was found to contain a SQL injection vulnerability due to the improper construction of a recursive CTE query in the queryParentSQL() function. This flaw arises from using string concatenation to join nodeIds instead of leveraging parameterized queries. If an attacker successfully creates a record with a malicious primary key string, they can exploit this vulnerability to inject arbitrary SQL when a subsequent request triggers recursive eager loading on the affected collection. This issue has been addressed and patched in version 2.0.39.

Affected Version(s)

nocobase < 2.0.39

References

https://github.com/nocobase/nocobase/security/advisories/...
x_refsource_CONFIRM
https://github.com/nocobase/nocobase/pull/9133
x_refsource_MISC
https://github.com/nocobase/nocobase/commit/202e2b8efe44b...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.