SQL Injection Risk in NocoBase's Plugin Collection by NocoBase
CVE-2026-52888
6.8MEDIUM
What is CVE-2026-52888?
NocoBase, an AI-driven no-code/low-code platform, has a vulnerability in its version 2.0.59 and earlier due to the plugin-collection-sql's checkSQL() function. This security flaw arises from an incomplete keyword blacklist, which fails to restrict access to sensitive PostgreSQL system catalog tables like pg_shadow, pg_roles, and pg_stat_activity. As a result, admin-role users could exploit this vulnerability to access sensitive password hashes and critical database metadata using the SQL Collection feature, leading to potential data breaches. The issue has been addressed in version 2.1.0-alpha.46.
Affected Version(s)
nocobase < 2.1.0-alpha.46
