CVE-2026-52887
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filter[latestMsgReceiveTimestamp][$lt] value was inserted into a Sequelize.literal() template string without escaping or parameter binding, allowing a signed-up authenticated user to run stacked PostgreSQL statements and potentially execute commands with COPY ... TO PROGRAM. This vulnerability is fixed in 2.0.61.
Ver en NVDAnálisis
NocoBase presenta una vulnerabilidad crítica de inyección SQL en su plugin de notificaciones que permite a usuarios autenticados ejecutar sentencias PostgreSQL arbitrarias. El fallo aprovecha una concatenación insegura en Sequelize para escalar a la ejecución de comandos del sistema mediante el uso de COPY TO PROGRAM. Es fundamental actualizar a la versión 2.0.61 para evitar el compromiso total del servidor y la infraestructura del backend.
Roles relevantes
Severidad
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCWE-89EPSS
Sin puntaje EPSS aún (CVE muy reciente).
Descripción técnica
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filter[latestMsgReceiveTimestamp][$lt] value was inserted into a Sequelize.literal() template string without escaping or parameter binding, allowing a signed-up authenticated user to run stacked PostgreSQL statements and potentially execute commands with COPY ... TO PROGRAM. This vulnerability is fixed in 2.0.61.