Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28399

CVE-2026-28399: Nocodb SQL Injection Vulnerability

CVE-2026-28399 is a SQL injection vulnerability in Nocodb that allows authenticated users with Creator role to inject arbitrary SQL via DATEADD formula. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-28399 Overview

CVE-2026-28399 is a SQL Injection vulnerability affecting NocoDB, an open-source database platform that enables users to build databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter, potentially compromising database confidentiality and integrity.

Critical Impact

Authenticated attackers with Creator role can execute arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, or complete database compromise.

Affected Products

  • NocoDB versions prior to 0.301.3
  • Self-hosted NocoDB installations without the security patch
  • NocoDB instances where users have Creator role access

Discovery Timeline

  • 2026-03-02 - CVE-2026-28399 published to NVD
  • 2026-03-03 - Last updated in NVD database

Technical Details for CVE-2026-28399

Vulnerability Analysis

This vulnerability (CWE-89) exists in NocoDB's formula processing functionality, specifically within the DATEADD formula implementation. The unit parameter of the DATEADD formula fails to properly sanitize user input before incorporating it into SQL queries. This allows authenticated users with Creator privileges to craft malicious input that breaks out of the intended SQL context and executes arbitrary SQL statements.

The attack requires network access and valid Creator-level authentication credentials. While the attacker needs to be authenticated, the low attack complexity makes this vulnerability relatively straightforward to exploit once access is obtained.

Root Cause

The root cause stems from improper input validation in the DATEADD formula's unit parameter handler. When processing user-supplied unit values for date calculations, the application concatenates user input directly into SQL queries without adequate parameterization or escaping. This classic SQL Injection pattern allows attackers to manipulate the query structure and inject their own SQL commands.

Attack Vector

An attacker with Creator role authentication can exploit this vulnerability by crafting a malicious DATEADD formula with a specially crafted unit parameter. The injected SQL payload is processed by the database engine, allowing the attacker to:

  1. Extract sensitive data from the database through UNION-based or blind SQL injection techniques
  2. Modify or delete existing database records
  3. Potentially escalate privileges within the database context
  4. Access data belonging to other users or workspaces

The vulnerability is exploitable over the network, requiring only valid Creator credentials and the ability to create or modify formulas within NocoDB.

Detection Methods for CVE-2026-28399

Indicators of Compromise

  • Unusual DATEADD formula entries containing SQL syntax characters such as single quotes, semicolons, or SQL keywords
  • Database query logs showing unexpected SQL statements originating from formula processing
  • Abnormal data access patterns from Creator-level user accounts
  • Error messages indicating SQL syntax errors in formula processing

Detection Strategies

  • Monitor NocoDB application logs for formula processing errors or unusual patterns
  • Implement database activity monitoring to detect anomalous query patterns
  • Review audit logs for Creator-level users creating or modifying formulas with suspicious content
  • Deploy web application firewalls (WAF) with SQL injection detection rules

Monitoring Recommendations

  • Enable verbose logging for NocoDB formula processing components
  • Configure alerts for database queries containing unexpected SQL commands
  • Monitor for bulk data extraction attempts or unusual query result sizes
  • Track failed formula validation attempts that may indicate probing activity

How to Mitigate CVE-2026-28399

Immediate Actions Required

  • Upgrade NocoDB to version 0.301.3 or later immediately
  • Review Creator-level user accounts and restrict access where appropriate
  • Audit recent formula changes for any suspicious DATEADD usage patterns
  • Consider temporarily disabling formula functionality if immediate patching is not possible

Patch Information

NocoDB has addressed this vulnerability in version 0.301.3. The security patch implements proper input sanitization for the DATEADD formula's unit parameter. Organizations running affected versions should update immediately. For detailed patch information, refer to the GitHub Release Notes and the GitHub Security Advisory.

Workarounds

  • Restrict Creator role assignments to only trusted users until patching is complete
  • Implement network-level access controls to limit who can reach the NocoDB instance
  • Deploy a web application firewall with SQL injection detection capabilities in front of NocoDB
  • Monitor and audit all formula-related activities within the application
bash
# Upgrade NocoDB to patched version
# For npm installations:
npm update nocodb

# For Docker installations:
docker pull nocodb/nocodb:0.301.3
docker-compose up -d

# Verify installed version
nocodb --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne