logo

Database

SQL injection - Code In nocodb

Description

NocoDB: SQL Injection via Column Title in Bulk GroupBy

Summary

An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.

Details

The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped.

Impact

SQL injection against the connected database with read access to any expression an attacker can place in a column title. Exploitation requires an authenticated session with permission to create or rename columns.

Credit

This issue was reported by @geo-chen.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-473842. NVD-2026-473843. OSV-2026-473844. GHSA-p8wx-5f39-w3x45. GCVE-2026-47384

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-p8wx-5f39-w3x42. https://github.com/nocodb/nocodb/releases/tag/2026.05.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-DAPVT – Vulnerability | Fluid Attacks Database