SQL Injection Risk in NocoBase's Plugin Collection by NocoBase
CVE-2026-52888

6.8MEDIUM

Key Information:

Vendor

Nocobase

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-52888?

NocoBase, an AI-driven no-code/low-code platform, has a vulnerability in its version 2.0.59 and earlier due to the plugin-collection-sql's checkSQL() function. This security flaw arises from an incomplete keyword blacklist, which fails to restrict access to sensitive PostgreSQL system catalog tables like pg_shadow, pg_roles, and pg_stat_activity. As a result, admin-role users could exploit this vulnerability to access sensitive password hashes and critical database metadata using the SQL Collection feature, leading to potential data breaches. The issue has been addressed in version 2.1.0-alpha.46.

Affected Version(s)

nocobase < 2.1.0-alpha.46

References

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.