CVE-2026-52888 in NocoBaseinfo

Summary

by MITRE • 07/15/2026

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. In 2.0.59 and earlier, NocoBase @nocobase/plugin-collection-sql used the checkSQL() function in packages/plugins/@nocobase/plugin-collection-sql/src/server/utils.ts with an incomplete keyword blacklist that did not restrict PostgreSQL system catalog tables such as pg_shadow, pg_roles, and pg_stat_activity, allowing an admin-role user to read password hashes and database metadata through the SQL Collection feature. This vulnerability is fixed in 2.1.0-alpha.46.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability resides within NocoBase's @nocobase/plugin-collection-sql plugin where the checkSQL() function implements an incomplete keyword blacklist mechanism. This flaw exists in versions prior to 2.1.0-alpha.46 and specifically affects the SQL Collection feature that allows administrative users to execute database queries through the platform interface. The incomplete blacklist fails to properly restrict access to critical PostgreSQL system catalog tables including pg_shadow which contains password hashes, pg_roles that stores role information, and pg_stat_activity which provides database session metadata. These system tables contain sensitive information that could be exploited by malicious actors with administrative privileges.

The technical implementation of this vulnerability demonstrates a classic security misconfiguration where the security controls are insufficiently restrictive. The checkSQL() function's keyword filtering mechanism does not adequately protect against access to PostgreSQL's internal system catalogs, creating an information disclosure vulnerability that directly violates the principle of least privilege. An attacker with admin-level access can leverage this flaw to extract password hashes from pg_shadow, which would enable credential reuse attacks or offline password cracking attempts. Additionally, metadata from pg_roles and pg_stat_activity provides detailed insights into database roles, user permissions, and active database sessions, potentially exposing the entire database infrastructure to further exploitation.

The operational impact of this vulnerability is significant as it allows authenticated administrative users to perform unauthorized data extraction from critical system tables without proper authorization controls. This represents a privilege escalation scenario where the existing administrative access is leveraged to gain additional sensitive information that would typically require direct database access or elevated privileges. The exposure of password hashes in pg_shadow particularly increases risk for credential-based attacks, while metadata from other system tables enables comprehensive reconnaissance of the database environment. This vulnerability effectively undermines the platform's security model by allowing information disclosure through legitimate administrative interfaces.

The mitigation strategy involves upgrading to NocoBase version 2.1.0-alpha.46 or later where the checkSQL() function has been properly enhanced with a comprehensive keyword blacklist that includes restrictions on PostgreSQL system catalog tables. Organizations should also implement additional monitoring and logging of SQL query execution within the platform to detect anomalous access patterns. The fix addresses the underlying CWE-20 issue related to improper input sanitization by ensuring complete restriction of access to sensitive system tables. Security teams should conduct thorough review of all administrative interfaces to ensure similar keyword filtering mechanisms are properly implemented and regularly tested against known database system catalog tables that could be exploited for information disclosure attacks. This vulnerability aligns with ATT&CK technique T1087.001 for account discovery and T1566.001 for credential access through unauthorized data extraction from database systems.

Responsible

GitHub M

Reservation

06/08/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!