CVE-2026-34825
MEDIUMNocoBase Has SQL Injection via template variable substitution in workflow SQL node
Title source: cnaDescription
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j
X_Refsource_Misc x_refsource_misc
https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c
X_Refsource_Misc x_refsource_misc
https://github.com/nocobase/nocobase/releases/tag/v2.0.30
Scores
CVSS v3
6.5
EPSS
0.0041
EPSS Percentile
32.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
nocobase/nocobase
< 2.0.30 (2 CPE variants)
nocobase/plugin-workflow-sql
0 - 2.0.30npm
Published
Apr 02, 2026
Tracked Since
Apr 03, 2026