Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-52887

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filter[latestMsgReceiveTimestamp][$lt] value was inserted into a Sequelize.literal() template string without escaping or parameter binding, allowing a signed-up authenticated user to run stacked PostgreSQL statements and potentially execute commands with COPY ... TO PROGRAM. This vulnerability is fixed in 2.0.61.

Ver en NVD

Análisis

NocoBase presenta una vulnerabilidad crítica de inyección SQL en su plugin de notificaciones que permite a usuarios autenticados ejecutar sentencias PostgreSQL arbitrarias. El fallo aprovecha una concatenación insegura en Sequelize para escalar a la ejecución de comandos del sistema mediante el uso de COPY TO PROGRAM. Es fundamental actualizar a la versión 2.0.61 para evitar el compromiso total del servidor y la infraestructura del backend.

Roles relevantes

BackendSqlJavascriptTypescriptCyberSecurityIA

Severidad

Puntaje: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-89

EPSS

Sin puntaje EPSS aún (CVE muy reciente).

Descripción técnica

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filter[latestMsgReceiveTimestamp][$lt] value was inserted into a Sequelize.literal() template string without escaping or parameter binding, allowing a signed-up authenticated user to run stacked PostgreSQL statements and potentially execute commands with COPY ... TO PROGRAM. This vulnerability is fixed in 2.0.61.

Publicada: 15/7/2026, 21:16:54
Última modificación: 15/7/2026, 21:16:54

Referencias

InicioEventosBlogRecursosEquipo