EXECUTIVE SUMMARY:
Both vulnerabilities have been identified in the npm packages @nocobase/database and @nocobase/plugin-collection-sql. These vulnerabilities, specifically SQL Injection and SQL Validation Bypass, can be exploited by an attacker with certain privileges. The business impact of these vulnerabilities is significant, as they can lead to unauthorized data access and exfiltration. An attacker can create a record with a malicious string primary key to inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. Furthermore, an attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. The business risk is elevated due to the ease of exploitation and the potential for significant data breaches. CVE-2026-41640 with a CVSS score of 7.5 – This vulnerability allows an attacker to inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. The attacker capability is high, and prerequisites include being able to create a record with a malicious string primary key. The `queryParentSQL()` function in the core database package constructs a recursive CTE query by joining `nodeIds` with string concatenation instead of using parameterized queries. CVE-2026-41641 with a CVSS score of 7.2 – This vulnerability allows an attacker to bypass SQL validation and inject arbitrary SQL. The attacker capability is high, and prerequisites include having collection management permissions. The `checkSQL()` validation function that blocks dangerous SQL keywords is applied on the `collections:create` and `sqlCollection:execute` endpoints but is entirely missing on the `sqlCollection:update` endpoint.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Both vulnerabilities have been identified in the npm packages @nocobase/database and @nocobase/plugin-collection-sql. These vulnerabilities, specifically SQL Injection and SQL Validation Bypass, can be exploited by an attacker with certain privileges. The business impact of these vulnerabilities is significant, as they can lead to unauthorized data access and exfiltration. An attacker can create a record with a malicious string primary key to inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. Furthermore, an attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. The business risk is elevated due to the ease of exploitation and the potential for significant data breaches. CVE-2026-41640 with a CVSS score of 7.5 – This vulnerability allows an attacker to inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. The attacker capability is high, and prerequisites include being able to create a record with a malicious string primary key. The `queryParentSQL()` function in the core database package constructs a recursive CTE query by joining `nodeIds` with string concatenation instead of using parameterized queries. CVE-2026-41641 with a CVSS score of 7.2 – This vulnerability allows an attacker to bypass SQL validation and inject arbitrary SQL. The attacker capability is high, and prerequisites include having collection management permissions. The `checkSQL()` validation function that blocks dangerous SQL keywords is applied on the `collections:create` and `sqlCollection:execute` endpoints but is entirely missing on the `sqlCollection:update` endpoint.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update npm/@nocobase/database and npm/@nocobase/plugin-collection-sql to version 2.0.41 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-4948-f92q-f432
https://github.com/advisories/GHSA-wrwh-c28m-9jjh