CVE-2026-41640
published 2026-05-07CVE-2026-41640: NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL()…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.88%
76.8th percentile
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nocobase | database | >= 0 < 2.0.39 | 2.0.39 |
| nocobase | nocobase | < 2.0.39 | 2.0.39 |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP 500 response containing 'invalid input syntax for type integer' on a tree collection list endpoint indicates successful SQL injection trigger via recursive eager loading. ↗
- →Monitor POST requests to /api/collections:create that define a tree collection with string-type primary keys (adjacencyList tree type), as this is a prerequisite for exploitation. ↗
- →Detect SQL injection payloads in record 'id' fields containing UNION ALL SELECT or closing parentheses/quote sequences (e.g., `') UNION ALL SELECT`) submitted to NocoBase collection create endpoints. ↗
- →Vulnerable NocoBase versions are <= 2.0.32 (as checked by the nuclei template); flag instances where /api/app:getInfo returns a version at or below this threshold. ↗
- →The injection is triggered by a GET request to the tree collection list endpoint with the 'appends[]=parent(recursively=true)' parameter, which activates the vulnerable queryParentSQL() recursive CTE code path. ↗
- →The vulnerable function is queryParentSQL() in the @nocobase/database package (eager-loading-tree.ts); look for this function in source audits or stack traces in error logs. ↗
- ·The nuclei template version check uses '<= 2.0.32' but the NVD advisory states the patch is in version 2.0.39; the version boundary in the template may underreport vulnerable instances between 2.0.33 and 2.0.38. ↗
- ·Exploitation requires an authenticated attacker with record creation permissions on a tree collection that uses string-type primary keys; collections with integer primary keys are not affected. ↗
- ·The SQL injection payload used in the template is PostgreSQL-specific (CAST(version() AS integer)::text); detection based on the error string 'invalid input syntax for type integer' is only valid for PostgreSQL backends. ↗
- ·The attack chain requires multiple sequential steps: sign-in, collection creation, two malicious record creations, and finally a list request with recursive eager loading; partial flows will not trigger the vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
NocoBase - SQL Injection
nuclei·CVSS 7.5
CVE-2026-41640 NocoBase - SQL Injection
NocoBase - SQL Injection
NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database package. The queryParentSQL function in eager-loading-tree.ts constructs a recursive CTE query by directly concatenating user-controlled primary key values into the SQL WHERE IN clause without parameterization. An authenticated attacker with record creation permissions on a tree collection with string-type primary keys can inject arbitrary SQL via crafted record identifiers, enabling full database compromise including data exfiltration and modification.
Template:
id: CVE-2026-41640
info:
name: NocoBase - SQL Injection
author: theamanrawat
severity: high
description: |
NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database
No writeups or analysis indexed.
https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604https://github.com/nocobase/nocobase/pull/9133https://github.com/nocobase/nocobase/releases/tag/v2.0.39https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432
2026-05-07
Published