PT-2026-46993 · Npm · Nocodb
Published
2026-06-05
·
Updated
2026-06-05
·
CVE-2026-47375
CVSS v3.1
6.0
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H |
Summary
An authenticated user with
columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column.Details
The vulnerability is specific to the Postgres mapping for
ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. Two factors combine:ARRAYSORTdeclares only argument count, notvalidation.args.type, sovalidate-extract-tree.tsdoes not enforce an allowlist on the second argument.- The Postgres mapping then passes the attacker-controlled value through
sanitize(knex.raw(...))into a raw SQL fragment:
const direction = pt.arguments[1]
? sanitize(
knex.raw(pt.arguments[1]?.value ?? (await fn(pt.arguments[1])).builder),
)
: knex.raw('asc');
return {
builder: knex.raw(`ARRAY(SELECT UNNEST(??) ORDER BY 1 ??)`, [source, direction]),
};sanitize() in sqlSanitize.ts only escapes ? placeholder characters; it does not validate SQL syntax. A payload such as "desc, (SELECT COUNT(*) FROM generate series(1,30000000))" is accepted, persisted, and re-executed on every read of the formula column.Impact
- Authenticated SQL injection against Postgres-backed bases.
- Requires
columnAddpermission (creator/owner-level). - Proven impact: attacker-controlled heavy SQL causing multi-second query stalls (DoS).
- Potentially extendable to broader SQL injection outcomes depending on database permissions and deployment hardening.
- Limited to Postgres backends.
Credit
This issue was reported by @leduckhuong.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nocodb