CVE-2026-34825

Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.0.30

Description NocoBase is an AI-powered no-code/low-code platform. The plugin-workflow-sql component, in versions up to 2.0.8, directly substitutes template variables into raw SQL strings using getParsedValue() without proper parameterization or escaping. This allows a user triggering a workflow containing a SQL node with template variables derived from user-controlled data to inject arbitrary SQL code. The SQLInstruction in packages/plugins/@nocobase/plugin-workflow-sql/src/server/SQLInstruction.ts processes SQL templates without escaping or quoting. Specifically, the getParsedValue() function performs string substitution of {{$context.data.fieldName}} placeholders with values from the workflow trigger data. An attacker can exploit this by crafting a malicious input, such as a nickname containing a SQL injection payload, to execute arbitrary SQL commands against the database. This could lead to full database read/write access, potentially allowing an attacker to extract credentials, modify records, or drop tables, depending on the database user's privileges.

Recommendations Update to version 2.0.30 or later. Implement parameterized queries by replacing direct string substitution with Sequelize bind parameters. Use processor.getParsedValueAsParams() to generate the SQL query and bind parameters.