{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34825", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.283Z", "datePublished": "2026-04-02T19:06:07.592Z", "dateUpdated": "2026-04-03T12:56:41.506Z"}, "containers": {"cna": {"title": "NocoBase Has SQL Injection via template variable substitution in workflow SQL node", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"}, {"name": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"}, {"name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30"}], "affected": [{"vendor": "nocobase", "product": "nocobase", "versions": [{"version": "< 2.0.30", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:06:07.592Z"}, "descriptions": [{"lang": "en", "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30."}], "source": {"advisory": "GHSA-vx58-fwwq-5g8j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:56:37.627950Z", "id": "CVE-2026-34825", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:56:41.506Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34825", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T12:56:37.627950Z"}}}], "references": [{"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:56:29.178Z"}}], "cna": {"title": "NocoBase Has SQL Injection via template variable substitution in workflow SQL node", "source": {"advisory": "GHSA-vx58-fwwq-5g8j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nocobase", "product": "nocobase", "versions": [{"status": "affected", "version": "< 2.0.30"}]}], "references": [{"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c", "name": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30", "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:06:07.592Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34825", "state": "PUBLISHED", "dateUpdated": "2026-04-03T12:56:41.506Z", "dateReserved": "2026-03-30T20:52:53.283Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T19:06:07.592Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30."}], "id": "CVE-2026-34825", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:26.247", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"}, {"source": "security-advisories@github.com", "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30"}, {"source": "security-advisories@github.com", "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.30)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "nocobase", "source": "cna", "vendor": "nocobase"}, "product": "nocobase", "vendor": "nocobase"}], "analysis": {"en": {"generated_at": "2026-04-02T22:20:18.080866+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to upgrade NocoBase to version 2.0.30 or newer.", "If an immediate upgrade is not possible, disable or remove any workflow SQL nodes that accept user\u2011supplied template variables to prevent injection.", "Monitor database activity and application logs for anomalous SQL queries that may indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "All NocoBase installations running a version prior to 2.0.30 are vulnerable, including the plugin\u2011workflow\u2011sql component that performs the unsafe substitution. No data is given for later releases; the issue was addressed in v2.0.30.", "description_and_impact": "NocoBase allows template variables to be substituted directly into raw SQL in the workflow SQL node without parameterization or escaping, creating a clear path for arbitrary SQL execution. An attacker who can trigger a workflow that includes a SQL node with user\u2011controlled template variables can inject malicious SQL, potentially reading, modifying, or deleting application data and compromising database integrity and confidentiality.", "risk_and_exploitability": "The CVSS score of 8.5 indicates a high\u2011severity flaw with the potential for significant damage. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw internally by configuring a workflow that sources template variables from user input, allowing direct manipulation of SQL statements against the database."}}}}, "created": "2026-04-03T07:31:30.294353+00:00", "updated": "2026-04-03T09:16:26.230994+00:00", "vendors": ["nocobase", "nocobase$PRODUCT$nocobase"]}