CVE Catalog

CVE-2026-47375

MediumCVSS 6.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

NocoDB prior to version 2026.04.1 allows an authenticated user with columnAdd permission to inject arbitrary SQL into the formula engine via the direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column.

Risk Assessment

Exploitation of this vulnerability may lead to unauthorized access to data and data manipulation in the database, posing a serious threat to the integrity and confidentiality of information within the organization.

Recommendation

It is recommended to upgrade NocoDB to version 2026.04.1 or later to mitigate this vulnerability and to conduct an audit of user permissions in the system.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS