{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/nocobase/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6224"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["nocobase","rce","sandbox-escape","cve-2026-6224"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw, identified as CVE-2026-6224, affects NocoBase plugin-workflow-javascript versions up to 2.0.23. This vulnerability resides in the \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function within the \u003ccode\u003epackages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js\u003c/code\u003e file. By manipulating this function, an attacker can escape the intended sandbox environment. Publicly available exploits exist, increasing the risk of active exploitation. This vulnerability allows for remote, unauthenticated exploitation, making it a significant threat to systems running the affected NocoBase plugin. The vendor has not responded to vulnerability disclosure attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a malicious request to the NocoBase server targeting the \u003ccode\u003eplugin-workflow-javascript\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe request is processed by the vulnerable \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function within \u003ccode\u003eVm.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the identified manipulation technique to bypass the intended sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the underlying server environment.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary JavaScript code within the server context.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain further control of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through creating new user accounts or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server, leading to potential data theft, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6224 can lead to complete compromise of the NocoBase server. An attacker can gain unauthorized access to sensitive data, modify system configurations, install malware, or disrupt normal operations. Given the nature of NocoBase as a data management platform, the impact could include widespread data breaches and significant reputational damage. Because exploits are publicly available, organizations using vulnerable versions of the plugin are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NocoBase plugin-workflow-javascript to a patched version beyond 2.0.23 to remediate CVE-2026-6224.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Suspicious NocoBase Workflow JavaScript Activity\u003c/code\u003e to identify potential exploitation attempts targeting the \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures to prevent malicious code injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-nocobase-rce/","summary":"A remote code execution vulnerability exists in NocoBase plugin-workflow-javascript versions up to 2.0.23 due to a sandbox escape in the createSafeConsole function, allowing unauthenticated attackers to potentially execute arbitrary code on the server.","title":"NocoBase plugin-workflow-javascript Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-nocobase-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["plugin-collection-sql"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","nocobase"],"_cs_type":"advisory","_cs_vendors":["nocobase"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@nocobase/plugin-collection-sql\u003c/code\u003e plugin for NocoBase is vulnerable to SQL injection. Specifically, the \u003ccode\u003echeckSQL()\u003c/code\u003e validation function, responsible for preventing dangerous SQL keywords, is applied to the \u003ccode\u003ecollections:create\u003c/code\u003e and \u003ccode\u003esqlCollection:execute\u003c/code\u003e endpoints, but is absent from the \u003ccode\u003esqlCollection:update\u003c/code\u003e endpoint. This oversight allows an attacker with collection management permissions (specifically, the \u003ccode\u003epm.data-source-manager.collection-sql\u003c/code\u003e snippet) to inject arbitrary SQL code. The attack involves creating a SQL collection with benign SQL, updating it with malicious SQL bypassing validation, and subsequently querying the collection to execute the injected SQL. This vulnerability, confirmed to affect versions 2.0.32 and earlier, can lead to unauthorized data access, privilege escalation, and potentially remote code execution on the database server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains collection management permissions, possibly through compromised credentials or exploiting another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to the \u003ccode\u003ecollections:create\u003c/code\u003e endpoint to create a new SQL collection with a benign SQL query, such as \u003ccode\u003e\u0026quot;SELECT 1 as id\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe NocoBase server processes the request, and the \u003ccode\u003echeckSQL()\u003c/code\u003e function validates the SQL query and allows the collection creation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the \u003ccode\u003esqlCollection:update\u003c/code\u003e endpoint, targeting the newly created collection. The request contains a SQL payload designed to extract sensitive data, such as \u003ccode\u003e\u0026quot;SELECT * FROM users\u0026quot;\u003c/code\u003e, or execute malicious functions.\u003c/li\u003e\n\u003cli\u003eThe NocoBase server processes the update request, but crucially, the \u003ccode\u003echeckSQL()\u003c/code\u003e function is not called, allowing the malicious SQL payload to be saved to the collection configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to the \u003ccode\u003e\u0026lt;collection_name\u0026gt;:list\u003c/code\u003e endpoint to query the updated collection.\u003c/li\u003e\n\u003cli\u003eThe NocoBase server executes the stored malicious SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe database returns the results of the malicious query, potentially containing sensitive data (e.g., user credentials), which is then returned to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can have severe consequences. Attackers can exfiltrate sensitive data, including user credentials and password hashes, leading to confidentiality breaches. Furthermore, by using database-specific functions such as \u003ccode\u003epg_read_file\u003c/code\u003e or \u003ccode\u003eLOAD_FILE\u003c/code\u003e, attackers can potentially read arbitrary files from the database server\u0026rsquo;s filesystem. The vulnerability can also be exploited for privilege escalation, allowing attackers to gain unauthorized access to other databases or execute arbitrary code on the database server. While the number of victims is unknown, any NocoBase instance running a vulnerable version of the \u003ccode\u003e@nocobase/plugin-collection-sql\u003c/code\u003e plugin is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the fix suggested in the advisory by adding \u003ccode\u003echeckSQL()\u003c/code\u003e to the \u003ccode\u003eupdate\u003c/code\u003e action within the \u003ccode\u003e@nocobase/plugin-collection-sql\u003c/code\u003e plugin.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect NocoBase SQL Injection via Update Endpoint\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring HTTP requests to the \u003ccode\u003esqlCollection:update\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003e@nocobase/plugin-collection-sql\u003c/code\u003e that includes the necessary validation on the \u003ccode\u003eupdate\u003c/code\u003e action, mitigating the risk of SQL injection.\u003c/li\u003e\n\u003cli\u003eImplement the more comprehensive defense measures recommended in the advisory, such as centralizing validation and strengthening the blocklist of dangerous SQL keywords to prevent future vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-nocobase-sql-injection/","summary":"A SQL injection vulnerability exists in nocobase plugin-collection-sql versions 2.0.32 and earlier due to missing validation on the sqlCollection:update endpoint, allowing attackers with collection management permissions to execute arbitrary SQL queries and exfiltrate data.","title":"NocoBase SQL Injection via Missing Validation on Update Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-24-nocobase-sql-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["NocoBase"],"_cs_severities":["critical"],"_cs_tags":["sqli","nocobase","cve-2026-41640","injection"],"_cs_type":"advisory","_cs_vendors":["NocoBase"],"content_html":"\u003cp\u003eA SQL injection vulnerability exists in NocoBase version 2.0.32 and earlier due to string concatenation in the \u003ccode\u003equeryParentSQL()\u003c/code\u003e function within the \u003ccode\u003e@nocobase/database\u003c/code\u003e core package. The vulnerability stems from how the \u003ccode\u003equeryParentSQL()\u003c/code\u003e function constructs a recursive CTE query by concatenating \u003ccode\u003enodeIds\u003c/code\u003e instead of using parameterized queries. An attacker with record creation permissions on a tree collection with string-type primary keys can inject arbitrary SQL via a malicious string primary key value in a created record. This injection is triggered when a subsequent request initiates recursive eager loading on that collection. This can lead to confidentiality breaches (extraction of database values including credentials), integrity issues (data manipulation via stacked queries), and availability problems (resource exhaustion). On PostgreSQL with superuser privileges, OS command execution is possible. The vulnerability affects all collections using a tree/adjacency-list structure with string primary keys. The same concatenation pattern also exists in \u003ccode\u003eplugin-field-sort/src/server/sort-field.ts:124\u003c/code\u003e. The vulnerability is tracked as CVE-2026-41640.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the NocoBase application with privileges to create records in a collection.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a \u0026ldquo;tree\u0026rdquo; collection that utilizes a string-type primary key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious primary key string containing SQL injection payload, such as \u003ccode\u003eroot') UNION ALL SELECT CAST((SELECT email FROM users LIMIT 1) AS integer)::text, NULL::text WHERE ('1'='1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new record in the target collection using the crafted malicious primary key.\u003c/li\u003e\n\u003cli\u003eA subsequent request is made that triggers recursive eager loading on the target collection, specifically when a \u003ccode\u003eBelongsTo\u003c/code\u003e association has \u003ccode\u003erecursively: true\u003c/code\u003e and instances exist, calling the vulnerable \u003ccode\u003equeryParentSQL\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003equeryParentSQL\u003c/code\u003e function concatenates the malicious primary key into the SQL query without proper sanitization or parameterization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database, allowing the attacker to extract sensitive data via error messages or potentially perform other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the extracted data from the error messages or through other means, such as direct database access if integrity is compromised.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis SQL injection vulnerability can lead to severe consequences. Successful exploitation can result in the unauthorized disclosure of sensitive information, including database credentials and other user data. Attackers can potentially modify data or execute arbitrary commands on the database server, leading to data corruption or system compromise. In the case of PostgreSQL databases with superuser privileges, attackers might gain operating system-level access. The vulnerability affects all collections using tree/adjacency-list structure with string-type primary keys, increasing the attack surface. Confirmed extractions include version information, database names, emails, and password hashes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect NocoBase SQL Injection Attempt in Primary Key\u003c/code\u003e to your SIEM to detect attempts to exploit this vulnerability via malicious primary key values.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix from the advisory by using parameterized queries in \u003ccode\u003epackages/core/database/src/eager-loading/eager-loading-tree.ts\u003c/code\u003e as referenced in the overview.\u003c/li\u003e\n\u003cli\u003eApply the same fix to \u003ccode\u003eplugin-field-sort/src/server/sort-field.ts:124\u003c/code\u003e to address the identical concatenation pattern as described in the overview.\u003c/li\u003e\n\u003cli\u003eValidate primary key values at record creation time to reject or escape values containing SQL metacharacters (\u003ccode\u003e'\u003c/code\u003e, \u003ccode\u003e\u0026quot;\u003c/code\u003e, \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e--\u003c/code\u003e) in string-type primary key fields, as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-nocobase-sqli/","summary":"NocoBase versions 2.0.32 and earlier are vulnerable to SQL injection due to string concatenation in the `queryParentSQL()` function, allowing attackers with record creation permissions to inject arbitrary SQL and potentially extract sensitive information or execute commands.","title":"NocoBase SQL Injection via Recursive Eager Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-nocobase-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Nocobase","version":"https://jsonfeed.org/version/1.1"}