logo

Database

SQL injection - Code In nocodb

Description

NocoDB Vulnerable to SQL Injection via DATEADD Formula

Summary

An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter.

Details

The third argument (unit) of DATEADD was interpolated directly into knex.raw() queries after only stripping quote characters. Validation in formulas.ts only checked Literal AST node types — non-Literal types bypassed validation entirely. Affected MySQL, PostgreSQL, and SQLite function mappings.

Impact

SQL injection allowing data exfiltration or modification, scoped to the connected database.

Credit

This issue was reported by @q1uf3ng.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-283992. NVD-2026-283993. OSV-2026-283994. GHSA-45rp-9p97-h8525. GCVE-2026-28399

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h8522. https://github.com/nocodb/nocodb/releases/tag/0.301.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-VFWKE – Vulnerability | Fluid Attacks Database