๐Ÿ” CVE Alert

CVE-2026-52888

MEDIUM 6.8

NocoBase: Sensitive Data Exposure via SQL Blacklist Bypass

CVSS Score
6.8
EPSS Score
0.0%
EPSS Percentile
0th

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. In 2.0.59 and earlier, NocoBase @nocobase/plugin-collection-sql used the checkSQL() function in packages/plugins/@nocobase/plugin-collection-sql/src/server/utils.ts with an incomplete keyword blacklist that did not restrict PostgreSQL system catalog tables such as pg_shadow, pg_roles, and pg_stat_activity, allowing an admin-role user to read password hashes and database metadata through the SQL Collection feature. This vulnerability is fixed in 2.1.0-alpha.46.

CWE CWE-184 CWE-200
Vendor nocobase
Product nocobase
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for nocobase nocobase

Be the first to know when new medium vulnerabilities affecting nocobase nocobase are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

nocobase / nocobase
< 2.1.0-alpha.46

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/nocobase/nocobase/security/advisories/GHSA-v8vm-cqh8-q87q github.com: https://github.com/nocobase/nocobase/commit/87c548969ce9258dd7f0d9571c9453ae10bc3fc4 github.com: https://github.com/nocobase/nocobase/releases/tag/v2.1.0-alpha.46