CVE-2026-28399 Overview
CVE-2026-28399 is a SQL Injection vulnerability affecting NocoDB, an open-source database platform that enables users to build databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter, potentially compromising database confidentiality and integrity.
Critical Impact
Authenticated attackers with Creator role can execute arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, or complete database compromise.
Affected Products
- NocoDB versions prior to 0.301.3
- Self-hosted NocoDB installations without the security patch
- NocoDB instances where users have Creator role access
Discovery Timeline
- 2026-03-02 - CVE-2026-28399 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-28399
Vulnerability Analysis
This vulnerability (CWE-89) exists in NocoDB's formula processing functionality, specifically within the DATEADD formula implementation. The unit parameter of the DATEADD formula fails to properly sanitize user input before incorporating it into SQL queries. This allows authenticated users with Creator privileges to craft malicious input that breaks out of the intended SQL context and executes arbitrary SQL statements.
The attack requires network access and valid Creator-level authentication credentials. While the attacker needs to be authenticated, the low attack complexity makes this vulnerability relatively straightforward to exploit once access is obtained.
Root Cause
The root cause stems from improper input validation in the DATEADD formula's unit parameter handler. When processing user-supplied unit values for date calculations, the application concatenates user input directly into SQL queries without adequate parameterization or escaping. This classic SQL Injection pattern allows attackers to manipulate the query structure and inject their own SQL commands.
Attack Vector
An attacker with Creator role authentication can exploit this vulnerability by crafting a malicious DATEADD formula with a specially crafted unit parameter. The injected SQL payload is processed by the database engine, allowing the attacker to:
- Extract sensitive data from the database through UNION-based or blind SQL injection techniques
- Modify or delete existing database records
- Potentially escalate privileges within the database context
- Access data belonging to other users or workspaces
The vulnerability is exploitable over the network, requiring only valid Creator credentials and the ability to create or modify formulas within NocoDB.
Detection Methods for CVE-2026-28399
Indicators of Compromise
- Unusual DATEADD formula entries containing SQL syntax characters such as single quotes, semicolons, or SQL keywords
- Database query logs showing unexpected SQL statements originating from formula processing
- Abnormal data access patterns from Creator-level user accounts
- Error messages indicating SQL syntax errors in formula processing
Detection Strategies
- Monitor NocoDB application logs for formula processing errors or unusual patterns
- Implement database activity monitoring to detect anomalous query patterns
- Review audit logs for Creator-level users creating or modifying formulas with suspicious content
- Deploy web application firewalls (WAF) with SQL injection detection rules
Monitoring Recommendations
- Enable verbose logging for NocoDB formula processing components
- Configure alerts for database queries containing unexpected SQL commands
- Monitor for bulk data extraction attempts or unusual query result sizes
- Track failed formula validation attempts that may indicate probing activity
How to Mitigate CVE-2026-28399
Immediate Actions Required
- Upgrade NocoDB to version 0.301.3 or later immediately
- Review Creator-level user accounts and restrict access where appropriate
- Audit recent formula changes for any suspicious DATEADD usage patterns
- Consider temporarily disabling formula functionality if immediate patching is not possible
Patch Information
NocoDB has addressed this vulnerability in version 0.301.3. The security patch implements proper input sanitization for the DATEADD formula's unit parameter. Organizations running affected versions should update immediately. For detailed patch information, refer to the GitHub Release Notes and the GitHub Security Advisory.
Workarounds
- Restrict Creator role assignments to only trusted users until patching is complete
- Implement network-level access controls to limit who can reach the NocoDB instance
- Deploy a web application firewall with SQL injection detection capabilities in front of NocoDB
- Monitor and audit all formula-related activities within the application
# Upgrade NocoDB to patched version
# For npm installations:
npm update nocodb
# For Docker installations:
docker pull nocodb/nocodb:0.301.3
docker-compose up -d
# Verify installed version
nocodb --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
