Vulnerability Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nocobase | Nocobase | < 2.0.39 |
Related Weaknesses (CWE)
References
- https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff94Patch
- https://github.com/nocobase/nocobase/pull/9133Issue TrackingPatch
- https://github.com/nocobase/nocobase/releases/tag/v2.0.39PatchRelease Notes
- https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432ExploitMitigationVendor Advisory
- https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-41640?
CVE-2026-41640 is a vulnerability with a CVSS score of 7.5 (HIGH). NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package con...
How severe is CVE-2026-41640?
CVE-2026-41640 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41640?
Check the references section above for vendor advisories and patch information. Affected products include: Nocobase Nocobase.