{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41640/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["NocoBase"],"_cs_severities":["critical"],"_cs_tags":["sqli","nocobase","cve-2026-41640","injection"],"_cs_type":"advisory","_cs_vendors":["NocoBase"],"content_html":"\u003cp\u003eA SQL injection vulnerability exists in NocoBase version 2.0.32 and earlier due to string concatenation in the \u003ccode\u003equeryParentSQL()\u003c/code\u003e function within the \u003ccode\u003e@nocobase/database\u003c/code\u003e core package. The vulnerability stems from how the \u003ccode\u003equeryParentSQL()\u003c/code\u003e function constructs a recursive CTE query by concatenating \u003ccode\u003enodeIds\u003c/code\u003e instead of using parameterized queries. An attacker with record creation permissions on a tree collection with string-type primary keys can inject arbitrary SQL via a malicious string primary key value in a created record. This injection is triggered when a subsequent request initiates recursive eager loading on that collection. This can lead to confidentiality breaches (extraction of database values including credentials), integrity issues (data manipulation via stacked queries), and availability problems (resource exhaustion). On PostgreSQL with superuser privileges, OS command execution is possible. The vulnerability affects all collections using a tree/adjacency-list structure with string primary keys. The same concatenation pattern also exists in \u003ccode\u003eplugin-field-sort/src/server/sort-field.ts:124\u003c/code\u003e. The vulnerability is tracked as CVE-2026-41640.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the NocoBase application with privileges to create records in a collection.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a \u0026ldquo;tree\u0026rdquo; collection that utilizes a string-type primary key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious primary key string containing SQL injection payload, such as \u003ccode\u003eroot') UNION ALL SELECT CAST((SELECT email FROM users LIMIT 1) AS integer)::text, NULL::text WHERE ('1'='1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new record in the target collection using the crafted malicious primary key.\u003c/li\u003e\n\u003cli\u003eA subsequent request is made that triggers recursive eager loading on the target collection, specifically when a \u003ccode\u003eBelongsTo\u003c/code\u003e association has \u003ccode\u003erecursively: true\u003c/code\u003e and instances exist, calling the vulnerable \u003ccode\u003equeryParentSQL\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003equeryParentSQL\u003c/code\u003e function concatenates the malicious primary key into the SQL query without proper sanitization or parameterization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database, allowing the attacker to extract sensitive data via error messages or potentially perform other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the extracted data from the error messages or through other means, such as direct database access if integrity is compromised.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis SQL injection vulnerability can lead to severe consequences. Successful exploitation can result in the unauthorized disclosure of sensitive information, including database credentials and other user data. Attackers can potentially modify data or execute arbitrary commands on the database server, leading to data corruption or system compromise. In the case of PostgreSQL databases with superuser privileges, attackers might gain operating system-level access. The vulnerability affects all collections using tree/adjacency-list structure with string-type primary keys, increasing the attack surface. Confirmed extractions include version information, database names, emails, and password hashes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect NocoBase SQL Injection Attempt in Primary Key\u003c/code\u003e to your SIEM to detect attempts to exploit this vulnerability via malicious primary key values.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix from the advisory by using parameterized queries in \u003ccode\u003epackages/core/database/src/eager-loading/eager-loading-tree.ts\u003c/code\u003e as referenced in the overview.\u003c/li\u003e\n\u003cli\u003eApply the same fix to \u003ccode\u003eplugin-field-sort/src/server/sort-field.ts:124\u003c/code\u003e to address the identical concatenation pattern as described in the overview.\u003c/li\u003e\n\u003cli\u003eValidate primary key values at record creation time to reject or escape values containing SQL metacharacters (\u003ccode\u003e'\u003c/code\u003e, \u003ccode\u003e\u0026quot;\u003c/code\u003e, \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e--\u003c/code\u003e) in string-type primary key fields, as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-nocobase-sqli/","summary":"NocoBase versions 2.0.32 and earlier are vulnerable to SQL injection due to string concatenation in the `queryParentSQL()` function, allowing attackers with record creation permissions to inject arbitrary SQL and potentially extract sensitive information or execute commands.","title":"NocoBase SQL Injection via Recursive Eager Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-nocobase-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-41640","version":"https://jsonfeed.org/version/1.1"}