Launch Week Day 1: Announcing Security Design Review
Start for Free
UNKNOWN npm

NocoDB: SQL Injection via Column Title in Bulk GroupBy

GHSA-p8wx-5f39-w3x4 · CVE-2026-47384

Published · Modified

Description

Summary

An authenticated user with column-create permission can inject SQL into the bulk groupBy
endpoint by setting a column's title to a SQL fragment.

Details

The bulk groupBy path in group-by.ts builds three database-specific knex.raw()
aggregations that interpolate the request's column_name directly into the SQL string.
Column lookup in data-table.service.ts matches on both the sanitized column_name
field and the free-text title, so a title containing a SQL fragment bypasses the
public endpoint's existing column allowlist and reaches the query builder unescaped.

Impact

SQL injection against the connected database with read access to any expression an
attacker can place in a column title. Exploitation requires an authenticated session
with permission to create or rename columns.

Credit

This issue was reported by @geo-chen.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes