Main Vulnerability Database Vulnerabilities #VU127988

SQL injection in NocoDB - CVE-2026-28399

Published: April 27, 2026

Vulnerability identifier: #VU127988

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-28399

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: nocodb

Affected software:
NocoDB

Detailed vulnerability description

The vulnerability allows a remote user to disclose or modify data in the connected database.

The vulnerability exists due to SQL injection in the DATEADD formula handling when processing the unit parameter. A remote user can supply a crafted DATEADD formula to disclose or modify data in the connected database.

The issue affects MySQL, PostgreSQL, and SQLite function mappings, and exploitation requires Creator role privileges.

How to mitigate CVE-2026-28399

Install security update from vendor's website.

Sources

https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852
https://github.com/advisories/GHSA-45rp-9p97-h852

SQL injection in NocoDB - CVE-2026-28399

Detailed vulnerability description

How to mitigate CVE-2026-28399

Sources

Please verify you're human