CVE-2026-47384 nocodb CVE debrief

Who should care

Administrators and users of NocoDB, especially those with column-create permissions, should be aware of this vulnerability. This issue may allow attackers to manipulate database queries, potentially leading to data breaches or unauthorized data modifications. Security teams should prioritize patching to prevent potential exploitation.

Technical summary

The vulnerability in NocoDB arises from the bulk groupBy endpoint's handling of user-input column names. An attacker with column-create permission can inject SQL by crafting a malicious column title. The group-by.ts file constructs knex.raw() aggregations that directly interpolate the column_name from the request into the SQL string, without proper sanitization. This allows an attacker to inject SQL fragments, potentially leading to data tampering or unauthorized data access.

Defensive priority

Patching to version 2026.05.1 or later is strongly recommended. In the interim, defenders should closely monitor database activity for suspicious queries and restrict column-create permissions to trusted users.

Recommended defensive actions

• Apply the patch by updating NocoDB to version 2026.05.1 or later.
• Restrict column-create permissions to trusted users only.
• Monitor database activity for suspicious queries that may indicate SQL injection attempts.
• Implement additional security measures such as Web Application Firewalls (WAFs) to detect and prevent SQL injection attacks.
• Conduct regular security audits and vulnerability assessments to identify and address potential issues.

Evidence notes

The CVE-2026-47384 vulnerability was publicly disclosed on June 23, 2026, and the NVD entry was last modified on June 25, 2026. The vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. The issue was reported via a security advisory on GitHub.

Official resources