CVE-2026-28399

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.3

Description NocoDB is software for building databases as spreadsheets. An authenticated user with a Creator role can inject arbitrary SQL code through the unit parameter of the DATEADD formula. The third argument (unit) of the DATEADD function was directly interpolated into knex.raw() queries after only stripping quote characters. Validation in formulas.ts only checked Literal AST node types, allowing non-Literal types to bypass validation. This affects MySQL, PostgreSQL, and SQLite function mappings. Successful exploitation could lead to data exfiltration or modification of the connected database.

Recommendations Versions prior to 0.301.3 should be updated to version 0.301.3 or later.