NocoBase up to 2.1.18 Backup Management _metadata.json exec database.schema os command injection
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.1 | $0-$5k | 0.59+ |
Summary
A vulnerability was found in NocoBase up to 2.1.18. It has been classified as problematic. This issue affects the function exec of the file _metadata.json of the component Backup Management. This manipulation of the argument database.schema causes os command injection.
This vulnerability is registered as CVE-2026-55410. Remote exploitation of the attack is possible. No exploit is available.
Details
A vulnerability classified as problematic was found in NocoBase up to 2.1.18. Affected by this vulnerability is the function exec of the file _metadata.json of the component Backup Management. The manipulation of the argument database.schema with an unknown input leads to a os command injection vulnerability. The CWE definition for the vulnerability is CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.1.19, NocoBase @nocobase/plugin-backups restored PostgreSQL backups by interpolating the database.schema value from _metadata.json into shell command strings executed with Node.js child_process.exec(), allowing a backup-management user restoring a crafted backup to execute commands as the NocoBase server process. This vulnerability is fixed in 2.1.19.
The advisory is shared at github.com. This vulnerability is known as CVE-2026-55410 since 06/16/2026. The exploitation appears to be easy. The attack can be launched remotely. The exploitation requires an enhanced level of successful authentication. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1202 for this issue.
By approaching the search of inurl:_metadata.json it is possible to find vulnerable targets with Google Hacking.
Upgrading to version 2.1.19 eliminates this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Name
Version
- 2.1.0
- 2.1.1
- 2.1.2
- 2.1.3
- 2.1.4
- 2.1.5
- 2.1.6
- 2.1.7
- 2.1.8
- 2.1.9
- 2.1.10
- 2.1.11
- 2.1.12
- 2.1.13
- 2.1.14
- 2.1.15
- 2.1.16
- 2.1.17
- 2.1.18
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 4.1
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Os command injectionCWE: CWE-78 / CWE-77 / CWE-74
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Google Hack: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔒
Upgrade: NocoBase 2.1.19
Timeline
06/16/2026 CVE reserved07/15/2026 Advisory disclosed
07/15/2026 VulDB entry created
07/15/2026 VulDB entry last update
Sources
Product: github.comAdvisory: github.com
Status: Confirmed
CVE: CVE-2026-55410 (🔒)
GCVE (CVE): GCVE-0-2026-55410
GCVE (VulDB): GCVE-100-379405
Entry
Created: 07/15/2026 22:56Changes: 07/15/2026 22:56 (55)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.