CVE
CVE-2026-28399
NocoDB Vulnerable to SQL Injection via DATEADD Formula
Summary
An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter.
Details
The third argument (unit) of DATEADD was interpolated directly into knex.raw() queries after only stripping quote characters. Validation in formulas.ts only checked Literal AST node types — non-Literal types bypassed validation entirely. Affected MySQL, PostgreSQL, and SQLite function mappings.
Impact
SQL injection allowing data exfiltration or modification, scoped to the connected database.
Credit
This issue was reported by @q1uf3ng.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
6.2
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852, https://nvd.nist.gov/vuln/detail/CVE-2026-28399, https://github.com/nocodb/nocodb, https://github.com/nocodb/nocodb/releases/tag/0.301.3
Basic Information
Ecosystem
