PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55410 nocobase CVE debrief

CVE-2026-55410 is a vulnerability in NocoBase, an AI-powered no-code/low-code platform, which allows a backup-management user to execute commands as the NocoBase server process by restoring a crafted backup. This issue is fixed in version 2.1.19. The vulnerability is caused by the @nocobase/plugin-backups component interpolating the database.schema value from _metadata.json into shell command strings executed with Node.js child_process.exec(). Users of NocoBase versions prior to 2.1.19 should apply the patch to prevent exploitation. The CVSS score of 6.7 indicates a medium severity vulnerability.

Vendor
nocobase
Product
Unknown
CVSS
MEDIUM 6.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Users of NocoBase versions prior to 2.1.19 should apply the patch to prevent exploitation. This includes administrators, developers, and security teams responsible for managing and securing NocoBase deployments. Additionally, operators and platform administrators should review the vulnerability and take necessary actions to protect their systems.

Technical summary

The @nocobase/plugin-backups component of NocoBase interpolates the database.schema value from _metadata.json into shell command strings executed with Node.js child_process.exec(). A backup-management user can exploit this to execute commands as the NocoBase server process by restoring a crafted backup. The vulnerability is fixed in version 2.1.19. The CVSS score of 6.7 indicates a medium severity vulnerability. The vulnerability allows for command execution, which can lead to unauthorized access and modification of sensitive data.

Defensive priority

Medium priority given the CVSS score of 6.7 and the potential for command execution.

Recommended defensive actions

  • Apply the patch by upgrading to NocoBase version 2.1.19 or later.
  • Restrict access to backup management features to trusted users.
  • Monitor for suspicious activity related to backup restoration.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. Additional details are available in the source references. However, the current information is limited, and defenders should verify the affected scope, severity, and vendor guidance. The vulnerability allows a backup-management user to execute commands as the NocoBase server process by restoring a crafted backup. The @nocobase/plugin-backups component of NocoBase interpolates the database.schema value from _metadata.json into shell command strings executed with Node.js child_process.exec().

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T21:16:55.183Z and has not been modified since then.