GHSA-p8wx-5f39-w3x4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p8wx-5f39-w3x4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-p8wx-5f39-w3x4/GHSA-p8wx-5f39-w3x4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p8wx-5f39-w3x4
- Aliases
-
- CVE-2026-47384
- Published
- 2026-06-05T16:19:59Z
- Modified
- 2026-06-05T16:30:07.741768110Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- NocoDB: SQL Injection via Column Title in Bulk GroupBy
- Details
-
Summary
An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.
Details
The bulk groupBy path in
group-by.tsbuilds three database-specificknex.raw()aggregations that interpolate the request'scolumn_namedirectly into the SQL string. Column lookup indata-table.service.tsmatches on both the sanitizedcolumn_namefield and the free-texttitle, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped.Impact
SQL injection against the connected database with read access to any expression an attacker can place in a column title. Exploitation requires an authenticated session with permission to create or rename columns.
Credit
This issue was reported by @geo-chen.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-89" ], "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2026-06-05T16:19:59Z" }- References
Affected packages
npm / nocodb
Package
- Name
- nocodb
- View open source insights on deps.dev
- Purl
- pkg:npm/nocodb