CVE-2026-52887
NocoBase · NocoBase
NocoBase is vulnerable to SQL injection due to improper sanitization of input in the application notification plugin, allowing unauthenticated remote code execution.
Executive summary
An unauthenticated SQL injection vulnerability in NocoBase allows remote attackers to execute arbitrary system commands, posing a critical risk to the entire application environment.
Vulnerability
This vulnerability occurs because the application fails to properly sanitize the filter parameter in the notification channel API, leading to SQL injection. Attackers can leverage this to execute stacked PostgreSQL queries and potentially trigger code execution via system-level commands.
Business impact
The exploitation of this flaw grants an attacker full control over the underlying database and potentially the host operating system. Given the CVSS score of 10.0, this represents a total compromise of confidentiality, integrity, and availability, likely resulting in catastrophic data loss or long-term persistence within the enterprise network.
Remediation
Immediate Action: Update NocoBase to version 2.0.61 or later immediately to incorporate the necessary input validation fixes.
Proactive Monitoring: Review database logs for unusual query patterns, specifically those containing stacked commands or attempts to interact with system-level functions like COPY.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to block malicious SQL injection patterns and restrict access to the /api/myInAppChannels endpoints from untrusted sources.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability is critical and must be prioritized for immediate remediation. Administrators should verify their current version and apply the patch provided by NocoBase without delay to prevent unauthorized system access.