GHSA-p8wx-5f39-w3x4Medium

NocoDB: SQL Injection via Column Title in Bulk GroupBy

Published
June 5, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.

Details

The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped.

Impact

SQL injection against the connected database with read access to any expression an attacker can place in a column title. Exploitation requires an authenticated session with permission to create or rename columns.

Credit

This issue was reported by @geo-chen.

🎯 Affected products1

  • npm/nocodb:<= 2026.05.0

🔗 References (3)