NocoDB Vulnerable to SQL Injection via DATEADD Formula

GHSA-45rp-9p97-h852 · CVE-2026-28399

Published Mar 3, 2026 · Modified Mar 4, 2026

Description

Summary

An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter.

Details

The third argument (unit) of DATEADD was interpolated directly into knex.raw() queries after only stripping quote characters. Validation in formulas.ts only checked Literal AST node types — non-Literal types bypassed validation entirely. Affected MySQL, PostgreSQL, and SQLite function mappings.

Impact

SQL injection allowing data exfiltration or modification, scoped to the connected database.

Credit

This issue was reported by @q1uf3ng.

References

WEB https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-28399
PACKAGE https://github.com/nocodb/nocodb
WEB https://github.com/nocodb/nocodb/releases/tag/0.301.3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes