PatchSiren cyber security CVE debrief
CVE-2026-52887 nocobase CVE debrief
CVE-2026-52887 is a critical vulnerability in NocoBase, an AI-powered no-code/low-code platform used for building business applications and enterprise solutions. The vulnerability affects versions prior to 2.0.61 and involves the @nocobase/plugin-notification-in-app-message component. Specifically, the GET /api/myInAppChannels:list endpoint is exposed to stacked PostgreSQL statement injection. This occurs because the filter[latestMsgReceiveTimestamp][$lt] value is inserted into a Sequelize.literal() template string without proper escaping or parameter binding. An authenticated user with a signed-up account can exploit this issue to potentially execute commands with COPY ... TO PROGRAM, leading to arbitrary code execution on the server. The vulnerability has a CVSS score of 10, indicating critical severity. It is fixed in NocoBase version 2.0.61. Users and security teams should be aware of the potential impact and take immediate action to secure affected deployments.
- Vendor
- nocobase
- Product
- Unknown
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Users of NocoBase prior to version 2.0.61 should apply the patch immediately to prevent potential command injection attacks. Security teams monitoring for potential command injection attacks should prioritize this fix. Additionally, operators and administrators of affected platforms should review system logs for unexpected PostgreSQL queries and ensure proper input validation. Vulnerability management and security teams should verify patch application and monitor for suspicious activity. Affected operators and platforms should also consider restricting access to the /api/myInAppChannels:list endpoint and implementing Web Application Firewalls (WAFs) to detect suspicious traffic patterns.
Technical summary
The @nocobase/plugin-notification-in-app-message component in NocoBase versions before 2.0.61 is vulnerable to a critical issue. The GET /api/myInAppChannels:list endpoint allows a signed-up authenticated user to inject stacked PostgreSQL statements by inserting a value into a Sequelize.literal() template string without proper escaping or parameter binding. This could potentially enable the execution of commands with COPY ... TO PROGRAM, leading to arbitrary code execution on the server.
Defensive priority
High priority due to critical severity (CVSS score of 10) and potential for command injection. Security teams should prioritize patching and monitoring for potential attacks. Additional defensive measures include restricting access to the /api/myInAppChannels:list endpoint and implementing Web Application Firewalls (WAFs) to detect suspicious traffic patterns.
Recommended defensive actions
- Apply the patch by upgrading to NocoBase version 2.0.61 or later
- Review and restrict access to the /api/myInAppChannels:list endpoint
- Monitor for suspicious PostgreSQL activity
- Implement additional input validation and sanitization for user-supplied data
- Review system logs for unexpected PostgreSQL queries
- Ensure proper input validation for affected deployments
- Track exceptions and retest remediated assets
Evidence notes
The CVE record was published on 2026-07-15T21:16:54.543Z and last modified on 2026-07-16T13:43:05.487Z. The vulnerability is fixed in version 2.0.61 of NocoBase. Limited details are available about potential exploits or attacks. Security teams should verify the patch application and monitor for suspicious activity. Defensive measures include reviewing system logs for unexpected PostgreSQL queries and ensuring proper input validation.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T21:16:54.543Z and has not been modified since then.