CVE-2026-34825 Overview
CVE-2026-34825 is a SQL Injection vulnerability in NocoBase, an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, the plugin-workflow-sql component substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion.
Critical Impact
Authenticated attackers can inject arbitrary SQL commands through workflow template variables, potentially compromising the entire database including sensitive business data and user credentials.
Affected Products
- NocoBase versions prior to 2.0.30
- NocoBase plugin-workflow-sql component
- NocoBase workflow automation features with SQL nodes
Discovery Timeline
- April 2, 2026 - CVE-2026-34825 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34825
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in the NocoBase plugin-workflow-sql component where template variables are directly substituted into raw SQL strings without proper sanitization. The getParsedValue() function processes user-controlled template variables and concatenates them directly into SQL queries, creating a classic SQL injection attack surface.
The vulnerability requires authenticated access with privileges to trigger workflows containing SQL nodes. When a workflow with template variables executes, user-controlled input flows directly into database queries without parameterization or escaping, allowing attackers to modify query logic, extract data, or perform administrative database operations.
Root Cause
The root cause is the lack of parameterized query implementation in the plugin-workflow-sql component. The getParsedValue() function directly interpolates user-controlled template variables into SQL strings, violating the fundamental security principle of separating code from data. The vulnerable code path allows string concatenation of untrusted input into SQL statements rather than using prepared statements or proper input escaping mechanisms.
Attack Vector
The attack vector is network-based and requires authenticated access with workflow execution privileges. An attacker can craft malicious input values for template variables that, when processed by a SQL workflow node, alter the intended query structure. This could include union-based injection to extract additional data, boolean-based blind injection for data exfiltration, or stacked queries for database manipulation depending on the underlying database driver configuration.
// Security patch excerpt - Adding parameterized query support
// Source: https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c
"Execute a SQL statement in database.": "Execute a SQL statement in database.",
"Include meta information of this query in result": "Include meta information of this query in result",
"SQL action": "SQL action",
- "SQL query result could be used through <1>JSON query node</1> (Commercial plugin).": "SQL query result could be used through <1>JSON query node</1> (Commercial plugin).",
+ "Parameters": "Parameters",
+ "SQL parameters. Use $1, $2, etc. as placeholders in SQL and provide values here in order.": "SQL parameters. Use $1, $2, etc. as placeholders in SQL and provide values here in order.",
+ "Current node is using unsafe injection mode (legacy), which has SQL injection risks.": "Current node is using unsafe injection mode (legacy), which has SQL injection risks.",
+ "Migrate to safe mode": "Migrate to safe mode",
+ "SQL parameters. Use :name as placeholders in SQL and provide values here.": "SQL parameters. Use :name as placeholders in SQL and provide values here.",
+ "Name": "Name",
+ "Value": "Value",
+ "Add parameter": "Add parameter",
+ "SQL query result could be used through <1>JSON query node</1>.": "SQL query result could be used through <1>JSON query node</1>.",
"Select a data source to execute SQL.": "Select a data source to execute SQL.",
"Usage of SQL query result is not supported yet.": "Usage of SQL query result is not supported yet."
}
Source: GitHub Commit Details
Detection Methods for CVE-2026-34825
Indicators of Compromise
- Unusual SQL error messages in application logs indicating malformed queries
- Database audit logs showing unexpected query patterns such as UNION SELECT statements or time-based functions
- Workflow execution logs with suspicious template variable values containing SQL metacharacters
- Unexpected data exfiltration or database modifications traced to workflow executions
Detection Strategies
- Monitor application logs for SQL syntax errors that may indicate injection attempts
- Implement database activity monitoring to detect anomalous query patterns from the NocoBase application
- Review workflow configurations for SQL nodes that use template variables from untrusted sources
- Deploy web application firewall (WAF) rules to detect common SQL injection payloads in workflow-related API requests
Monitoring Recommendations
- Enable detailed logging for the plugin-workflow-sql component to capture all SQL queries executed
- Configure database audit logging to track queries originating from the NocoBase application user
- Set up alerts for failed authentication attempts following SQL error spikes
- Monitor for mass data access patterns that could indicate successful data exfiltration
How to Mitigate CVE-2026-34825
Immediate Actions Required
- Upgrade NocoBase to version 2.0.30 or later immediately
- Audit all existing workflows containing SQL nodes for potential exploitation
- Review database access logs for signs of compromise
- Temporarily disable workflows with SQL nodes that accept user-controlled template variables until patched
Patch Information
NocoBase has released version 2.0.30 which addresses this vulnerability by implementing parameterized query support. The patch introduces a safe mode that uses placeholder syntax ($1, $2 or :name) instead of direct string interpolation. Existing workflows using the vulnerable pattern are flagged with a warning indicating "unsafe injection mode (legacy)" and can be migrated to the safe mode through the administrative interface.
For detailed patch information, refer to the GitHub Security Advisory GHSA-vx58-fwwq-5g8j and Release Notes v2.0.30.
Workarounds
- Restrict workflow creation and modification permissions to trusted administrators only
- Disable or remove SQL nodes from workflows that process user-controlled input
- Implement network segmentation to limit database access from the NocoBase application server
- Apply database-level restrictions to limit the permissions of the NocoBase database user account
# Configuration example - Restrict NocoBase database user permissions
# Limit the database user to only necessary operations
REVOKE ALL PRIVILEGES ON DATABASE nocobase FROM nocobase_app;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO nocobase_app;
# Deny dangerous operations that could be exploited via SQL injection
REVOKE CREATE, DROP, ALTER ON SCHEMA public FROM nocobase_app;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
