Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-52887

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filter[latestMsgReceiveTimestamp][$lt] value was inserted into a Sequelize.literal() template string without escaping or parameter binding, allowing a signed-up authenticated user to run stacked PostgreSQL statements and potentially execute commands with COPY ... TO PROGRAM. This vulnerability is fixed in 2.0.61.

View on NVD

Analysis

NocoBase presenta una vulnerabilidad crítica de inyección SQL en su plugin de notificaciones que permite a usuarios autenticados ejecutar sentencias PostgreSQL arbitrarias. El fallo aprovecha una concatenación insegura en Sequelize para escalar a la ejecución de comandos del sistema mediante el uso de COPY TO PROGRAM. Es fundamental actualizar a la versión 2.0.61 para evitar el compromiso total del servidor y la infraestructura del backend.

Relevant roles

BackendSqlJavascriptTypescriptCyberSecurityIA

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-89

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filter[latestMsgReceiveTimestamp][$lt] value was inserted into a Sequelize.literal() template string without escaping or parameter binding, allowing a signed-up authenticated user to run stacked PostgreSQL statements and potentially execute commands with COPY ... TO PROGRAM. This vulnerability is fixed in 2.0.61.

Published: 7/15/2026, 9:16:54 PM
Last modified: 7/15/2026, 9:16:54 PM

References

HomeEventsBlogResourcesTeam