CVE-2026-47375 in NocoDB
Summary
by MITRE • 06/24/2026
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/24/2026
This vulnerability exists within NocoDB's database management system where an authenticated user with specific columnAdd permissions can execute arbitrary SQL commands through a flaw in the formula engine's handling of the ARRAYSORT function. The vulnerability specifically impacts installations using PostgreSQL backend databases and occurs when the direction argument of ARRAYSORT is manipulated, allowing for direct injection into the underlying database queries.
The technical implementation of this vulnerability stems from inadequate input validation within the PostgreSQL-specific function mapping located in packages/nocodb/src/db/functionMappings/pg.ts. When a user provides an unrestricted value for the direction parameter in the ARRAYSORT function, this input bypasses formula validation mechanisms and gets directly embedded into a knex.raw ORDER BY clause during both column creation and subsequent record reads. This design flaw creates a persistent SQL injection vector that operates at the database abstraction layer rather than through traditional web application interfaces.
The operational impact of this vulnerability is significant as it allows authenticated attackers to execute arbitrary SQL commands with the privileges of the database user running the NocoDB service. Since the injection occurs during column creation and continues to execute on every record read, the vulnerability provides persistent access to database operations throughout the lifecycle of affected formula columns. This means that even after initial exploitation, the malicious SQL commands continue to execute automatically whenever the formula column is accessed, creating a long-term persistence mechanism.
The vulnerability aligns with CWE-89 which categorizes SQL injection flaws as weaknesses in input validation and query construction. From an ATT&CK perspective, this represents a privilege escalation and command execution technique where an authenticated user leverages their existing permissions to gain broader database access capabilities. The attack vector specifically maps to T1078 Valid Accounts and T1213 Data from Information Repositories, as it exploits legitimate user credentials to access underlying database resources through the formula engine.
Organizations should immediately upgrade to NocoDB version 2026.04.1 which contains the necessary fixes for this vulnerability. Additionally, administrators should implement strict input validation controls and consider implementing database user privilege separation where possible. Monitoring for unusual database query patterns and implementing proper network segmentation between database servers and application layers can help detect potential exploitation attempts. The fix addresses the core issue by properly sanitizing the direction argument before embedding it into database queries, ensuring that only valid sorting parameters are accepted.