Arbitrary Command Execution Vulnerability in NocoBase by NocoBase
CVE-2026-55410

6.7MEDIUM

Key Information:

Vendor

Nocobase

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-55410?

The NocoBase platform, designed for developing business applications with no-code/low-code methods, was found to have a serious vulnerability in its backup restoration process. Before version 2.1.19, the @nocobase/plugin-backups component improperly handled PostgreSQL backup restoration. By using crafted backups, a backup-management user could exploit this issue to execute arbitrary commands within the NocoBase server context through improperly interpolated values in shell command strings. This vulnerability has been addressed in the release of version 2.1.19.

Affected Version(s)

nocobase < 2.1.19

References

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.