CVE-2026-34825 HIGH

CVE-2026-34825: NocoBase Has SQL Injection via template variable substitution in workflow SQL node

Vendor Nocobase

Product nocobase

Weakness CWE-89 · SQLi

Published April 2, 2026

Last update April 3, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30.

Key dates

02Disclosure timeline

April 2, 2026 CVE published

April 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34825 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

CVE-2026-34825: NocoBase Has SQL Injection via template variable substitution in workflow SQL node

01Description

02Disclosure timeline

03References

04Related CVE