CVE-2026-41640 HIGH

CVE-2026-41640: NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading

Vendor Nocobase
Product nocobase
Weakness CWE-89 · SQLi
Published May 7, 2026
Last update May 7, 2026
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.

Key dates

02Disclosure timeline

May 7, 2026 CVE published
May 7, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-3756 SourceCodester Sales and Inventory System check_item_details.php sql injection CVE-2023-6657 SourceCodester Simple Student Attendance System student_form.php sql injection CVE-2026-35470 OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals CVE-2024-2520 MAGESH-K21 Online-College-Event-Hall-Reservation-System bookdate.php sql injection CVE-2025-9051 projectworlds Travel Management System updatecategory.php sql injection