NocoBase SQL Injection Bypass (CVE-2026-41641) Exposes Data

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-89cwe-284
NocoBase SQL Injection Bypass (CVE-2026-41641) Exposes Data

The National Vulnerability Database has disclosed CVE-2026-41641, a high-severity SQL injection bypass affecting NocoBase, an AI-powered no-code/low-code platform. Prior to version 2.0.39, NocoBase’s checkSQL() validation function, designed to block dangerous SQL keywords like pg_read_file or LOAD_FILE, was critically missing from the sqlCollection:update endpoint.

This oversight allows an attacker with existing collection management permissions to initially create a SQL collection using benign SQL. They can then update this collection with arbitrary, malicious SQL that completely bypasses the intended validation. Subsequently, querying the updated collection executes the injected SQL, leading to potential data exfiltration, unauthorized data modification, or even full system compromise, as indicated by the CVSS score of 7.2.

This vulnerability highlights a critical flaw in input validation logic, specifically where different API endpoints handling the same data type (SQL collections) have inconsistent security controls. Defenders must recognize that partial validation is no validation at all when an attacker can leverage a less-protected path. The issue is patched in NocoBase version 2.0.39, making immediate upgrades imperative.

What This Means For You

  • If your organization utilizes NocoBase, you must immediately verify that all instances are updated to version 2.0.39 or later to mitigate CVE-2026-41641. An attacker with collection management permissions can exploit this to exfiltrate sensitive data or compromise your NocoBase environment. Audit your NocoBase logs for any suspicious SQL collection updates or queries from privileged accounts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-41641 - NocoBase SQL Injection via sqlCollection:update

Sigma YAML — free preview 
title: CVE-2026-41641 - NocoBase SQL Injection via sqlCollection:update
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  This rule detects the specific API endpoint and method used in the NocoBase SQL injection vulnerability (CVE-2026-41641). Attackers with collection management permissions can exploit the missing validation on the sqlCollection:update endpoint to inject arbitrary SQL, bypassing security checks and exfiltrating data. This detection focuses on the direct exploitation attempt targeting the vulnerable endpoint.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41641/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/api/sqlCollections/update'
      cs-method|exact: "POST"
      cs-uri-query|contains:
          - 'id='
          - 'data='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41641 SQLi NocoBase < 2.0.39
CVE-2026-41641 SQLi Vulnerable function: checkSQL()
CVE-2026-41641 SQLi Vulnerable endpoint: sqlCollection:update
CVE-2026-41641 Information Disclosure Data exfiltration via SQL injection

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8063 — Null Pointer Dereference

CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...

vulnerabilityCVEmedium-severitynull-pointer-dereferencecwe-476
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma

WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php

CVE-2026-7252 — The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary...

vulnerabilityCVEhigh-severityremote-code-executioncwe-22
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 5 IOCs /⚙ 3 Sigma

CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability

CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma