PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-52887 nocobase CVE debrief

CVE-2026-52887 is a critical vulnerability in NocoBase, an AI-powered no-code/low-code platform used for building business applications and enterprise solutions. The vulnerability affects versions prior to 2.0.61 and involves the @nocobase/plugin-notification-in-app-message component. Specifically, the GET /api/myInAppChannels:list endpoint is exposed to stacked PostgreSQL statement injection. This occurs because the filter[latestMsgReceiveTimestamp][$lt] value is inserted into a Sequelize.literal() template string without proper escaping or parameter binding. An authenticated user with a signed-up account can exploit this issue to potentially execute commands with COPY ... TO PROGRAM, leading to arbitrary code execution on the server. The vulnerability has a CVSS score of 10, indicating critical severity. It is fixed in NocoBase version 2.0.61. Users and security teams should be aware of the potential impact and take immediate action to secure affected deployments.

Vendor
nocobase
Product
Unknown
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Users of NocoBase prior to version 2.0.61 should apply the patch immediately to prevent potential command injection attacks. Security teams monitoring for potential command injection attacks should prioritize this fix. Additionally, operators and administrators of affected platforms should review system logs for unexpected PostgreSQL queries and ensure proper input validation. Vulnerability management and security teams should verify patch application and monitor for suspicious activity. Affected operators and platforms should also consider restricting access to the /api/myInAppChannels:list endpoint and implementing Web Application Firewalls (WAFs) to detect suspicious traffic patterns.

Technical summary

The @nocobase/plugin-notification-in-app-message component in NocoBase versions before 2.0.61 is vulnerable to a critical issue. The GET /api/myInAppChannels:list endpoint allows a signed-up authenticated user to inject stacked PostgreSQL statements by inserting a value into a Sequelize.literal() template string without proper escaping or parameter binding. This could potentially enable the execution of commands with COPY ... TO PROGRAM, leading to arbitrary code execution on the server.

Defensive priority

High priority due to critical severity (CVSS score of 10) and potential for command injection. Security teams should prioritize patching and monitoring for potential attacks. Additional defensive measures include restricting access to the /api/myInAppChannels:list endpoint and implementing Web Application Firewalls (WAFs) to detect suspicious traffic patterns.

Recommended defensive actions

  • Apply the patch by upgrading to NocoBase version 2.0.61 or later
  • Review and restrict access to the /api/myInAppChannels:list endpoint
  • Monitor for suspicious PostgreSQL activity
  • Implement additional input validation and sanitization for user-supplied data
  • Review system logs for unexpected PostgreSQL queries
  • Ensure proper input validation for affected deployments
  • Track exceptions and retest remediated assets

Evidence notes

The CVE record was published on 2026-07-15T21:16:54.543Z and last modified on 2026-07-16T13:43:05.487Z. The vulnerability is fixed in version 2.0.61 of NocoBase. Limited details are available about potential exploits or attacks. Security teams should verify the patch application and monitor for suspicious activity. Defensive measures include reviewing system logs for unexpected PostgreSQL queries and ensuring proper input validation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T21:16:54.543Z and has not been modified since then.