CVE-2026-41641

Name of the Vulnerable Software and Affected Versions @nocobase/plugin-collection-sql versions prior to 2.0.39

Description An issue exists where the checkSQL() validation function, designed to block dangerous SQL keywords such as pg read file, LOAD FILE, and dblink, is not applied to the 'sqlCollection:update' endpoint. While this validation is active for 'collections:create' and 'sqlCollection:execute', its absence in the update process allows an attacker with collection management permissions to bypass security checks. By creating a collection with benign SQL and subsequently updating it with arbitrary SQL, an attacker can execute unauthorized queries to exfiltrate sensitive data, read arbitrary files from the database server filesystem, or perform lateral movement to other databases.

Recommendations Update @nocobase/plugin-collection-sql to version 2.0.39 or later. As a temporary workaround, restrict access to the 'sqlCollection:update' endpoint to minimize the risk of exploitation.