CVE-2026-41641

HIGH NUCLEI

NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call

Title source: cna

Exploitation Summary

CVE-2026-41641 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.

Nuclei Templates (1)

NocoBase - SQL Injection

HIGHVERIFIEDby theamanrawat

References (4)

Core 4

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh

X_Refsource_Misc x_refsource_misc

https://github.com/nocobase/nocobase/pull/9134

X_Refsource_Misc x_refsource_misc

https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/nocobase/nocobase/releases/tag/v2.0.39

Scores

CVSS v3 7.2

EPSS 0.0021

EPSS Percentile 43.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-284 CWE-89

Status published

Products (2)

nocobase/nocobase < 2.0.39 (2 CPE variants)

nocobase/plugin-collection-sql 0 - 2.0.39npm

Published May 07, 2026

Tracked Since May 07, 2026