CVE-2026-41640

Name of the Vulnerable Software and Affected Versions @nocobase/database versions prior to 2.0.39

Description An issue exists in the queryParentSQL() function within the core database package where a recursive CTE query is constructed by joining nodeIds using string concatenation instead of parameterized queries. An attacker with record-creation permissions on a tree collection using string-type primary keys can inject arbitrary SQL. This occurs when a subsequent request triggers recursive eager loading on that collection. The flaw allows for error-based extraction of sensitive database information, such as user emails and password hashes. In certain environments, such as PostgreSQL with superuser privileges, this could potentially lead to OS command execution via the COPY ... TO PROGRAM command.

Recommendations Update @nocobase/database to version 2.0.39 or later. As a temporary workaround, restrict the use of string-type primary keys in tree collections or validate primary key values at record creation to reject strings containing SQL metacharacters.