CVE-2026-52887 in NocoBase
Summary
by MITRE • 07/15/2026
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filter[latestMsgReceiveTimestamp][$lt] value was inserted into a Sequelize.literal() template string without escaping or parameter binding, allowing a signed-up authenticated user to run stacked PostgreSQL statements and potentially execute commands with COPY ... TO PROGRAM. This vulnerability is fixed in 2.0.61.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability identified in NocoBase versions prior to 2.0.61 represents a critical SQL injection flaw within the in-app notification plugin that exposes significant attack surface for authenticated users. This issue resides in the @nocobase/plugin-notification-in-app-message component where the API endpoint GET /api/myInAppChannels:list processes user-provided filter parameters without adequate input sanitization. The specific technical flaw occurs when the filter[latestMsgReceiveTimestamp][$lt] parameter value is directly inserted into a Sequelize.literal() template string, bypassing standard parameter binding mechanisms that would normally protect against SQL injection attacks.
The operational impact of this vulnerability extends beyond traditional database exploitation as it creates opportunities for stacked query execution within the PostgreSQL backend. When an authenticated user manipulates the filter parameter, the malicious input can trigger multiple sequential SQL statements through the COPY ... TO PROGRAM functionality available in PostgreSQL. This capability allows attackers to potentially execute arbitrary system commands on the database server, effectively elevating their privileges from mere application user access to potential system-level control. The vulnerability affects any signed-up authenticated user, removing the requirement for privileged accounts and broadening the attack surface considerably.
This security flaw aligns with CWE-89, which specifically addresses SQL injection vulnerabilities where untrusted data is incorporated into database queries without proper sanitization or parameterization. The implementation directly violates secure coding principles by treating user input as executable code within a database context. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1078.004 which covers valid accounts and T1566.002 which involves spearphishing attachments or links, as it provides a path for authenticated access that could be leveraged in broader attack chains. The attack vector specifically demonstrates how application-level authentication bypasses can lead to database compromise through poorly validated input handling.
The remediation implemented in version 2.0.61 addresses the root cause by ensuring proper parameter binding and input sanitization within the Sequelize query construction process. This fix prevents the direct insertion of user-provided values into SQL template strings without appropriate escaping or parameterization mechanisms. Organizations should immediately upgrade to version 2.0.61 or later to mitigate this vulnerability, while also implementing monitoring for anomalous API usage patterns that might indicate exploitation attempts. The vulnerability serves as a critical reminder of the importance of proper input validation and parameterized queries in preventing database-level command execution attacks.