cbcvebase.
CVE-2026-41640
published 2026-05-07

CVE-2026-41640: NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL()…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.88%
76.8th percentile
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.

Affected

2 ranges
VendorProductVersion rangeFixed in
nocobasedatabase>= 0 < 2.0.392.0.39
nocobasenocobase< 2.0.392.0.39

Detection & IOCsextracted from sources · hover to see the quote

url/api/auth:signIn
url/api/collections:create
url/api/{{cname}}:create
url/api/{{cname}}:list?appends[]=parent(recursively%3Dtrue)&pageSize=100
url/api/app:getInfo
commandsafe_root') UNION ALL SELECT CAST(version() AS integer)::text, NULL::text WHERE ('1'='1
pathpackages/@nocobase/database/src/eager-loading/eager-loading-tree.ts
  • HTTP 500 response containing 'invalid input syntax for type integer' on a tree collection list endpoint indicates successful SQL injection trigger via recursive eager loading.
  • Monitor POST requests to /api/collections:create that define a tree collection with string-type primary keys (adjacencyList tree type), as this is a prerequisite for exploitation.
  • Detect SQL injection payloads in record 'id' fields containing UNION ALL SELECT or closing parentheses/quote sequences (e.g., `') UNION ALL SELECT`) submitted to NocoBase collection create endpoints.
  • Vulnerable NocoBase versions are <= 2.0.32 (as checked by the nuclei template); flag instances where /api/app:getInfo returns a version at or below this threshold.
  • The injection is triggered by a GET request to the tree collection list endpoint with the 'appends[]=parent(recursively=true)' parameter, which activates the vulnerable queryParentSQL() recursive CTE code path.
  • The vulnerable function is queryParentSQL() in the @nocobase/database package (eager-loading-tree.ts); look for this function in source audits or stack traces in error logs.
  • ·The nuclei template version check uses '<= 2.0.32' but the NVD advisory states the patch is in version 2.0.39; the version boundary in the template may underreport vulnerable instances between 2.0.33 and 2.0.38.
  • ·Exploitation requires an authenticated attacker with record creation permissions on a tree collection that uses string-type primary keys; collections with integer primary keys are not affected.
  • ·The SQL injection payload used in the template is PostgreSQL-specific (CAST(version() AS integer)::text); detection based on the error string 'invalid input syntax for type integer' is only valid for PostgreSQL backends.
  • ·The attack chain requires multiple sequential steps: sign-in, collection creation, two malicious record creations, and finally a list request with recursive eager loading; partial flows will not trigger the vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.