{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34825", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.283Z", "datePublished": "2026-04-02T19:06:07.592Z", "dateUpdated": "2026-04-03T12:56:41.506Z"}, "containers": {"cna": {"title": "NocoBase Has SQL Injection via template variable substitution in workflow SQL node", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"}, {"name": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"}, {"name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30"}], "affected": [{"vendor": "nocobase", "product": "nocobase", "versions": [{"version": "< 2.0.30", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:06:07.592Z"}, "descriptions": [{"lang": "en", "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30."}], "source": {"advisory": "GHSA-vx58-fwwq-5g8j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:56:37.627950Z", "id": "CVE-2026-34825", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:56:41.506Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34825", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T12:56:37.627950Z"}}}], "references": [{"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:56:29.178Z"}}], "cna": {"title": "NocoBase Has SQL Injection via template variable substitution in workflow SQL node", "source": {"advisory": "GHSA-vx58-fwwq-5g8j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nocobase", "product": "nocobase", "versions": [{"status": "affected", "version": "< 2.0.30"}]}], "references": [{"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c", "name": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30", "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:06:07.592Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34825", "state": "PUBLISHED", "dateUpdated": "2026-04-03T12:56:41.506Z", "dateReserved": "2026-03-30T20:52:53.283Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T19:06:07.592Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nocobase:nocobase:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C257217-101E-4AC6-85A9-2B99BD2A86C0", "versionEndExcluding": "2.0.30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30."}], "id": "CVE-2026-34825", "lastModified": "2026-04-10T15:16:03.123", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:26.247", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.30)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "nocobase", "source": "cna", "vendor": "nocobase"}, "product": "nocobase", "vendor": "nocobase"}], "analysis": {"en": {"generated_at": "2026-04-10T16:26:46.154165+00:00", "value": {"mitigation_remediation": ["Verify the current NocoBase version in use", "Upgrade the platform to version 2.0.30 or later, which implements parameterized queries for the workflow SQL node", "Validate that workflows no longer include unescaped template variables and test functionality after the upgrade"], "summary": {"action": "Patch Immediately", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the NocoBase platform, specifically the plugin\u2011workflow\u2011sql component. All deployments running a version older than 2.0.30 are susceptible. The issue has been addressed in release 2.0.30, which replaces unsafe string concatenation with safe parameter handling.", "description_and_impact": "NocoBase, an AI\u2011powered no\u2011code platform, allows users to build workflows that execute SQL statements through a plugin. In versions before 2.0.30 the workflow SQL node concatenates template variables directly into raw SQL strings without input validation, escaping, or prepared statement usage. This defect enables any user who can supply values for template variables in a workflow trigger to inject arbitrary SQL. The injected code can read, modify, or delete records, potentially exposing sensitive business data, corrupting application state, or facilitating further attacks against the database.", "risk_and_exploitability": "The CVSS score of 8.5 classifies this as a high\u2011impact flaw, and the EPSS score of less than 1% indicates that exploitation is currently rare. The vulnerability has not been cataloged in CISA\u2019s KEV list. The attack vector can be inferred to require a user who can trigger a workflow that contains template variables sourced from user\u2011controlled data; thus, an authenticated or privileged user with workflow creation rights could exploit it. Exploitation would allow unauthorized data access or manipulation via the target database."}}}}, "created": "2026-04-03T07:31:30.294353+00:00", "updated": "2026-04-13T14:28:02.485716+00:00", "vendors": ["nocobase", "nocobase$PRODUCT$nocobase"]}