PT-2026-60297 · Nocobase · Nocobase+1

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-52888

CVSS v3.1

6.8

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.1.0-alpha.46
Description In the @nocobase/plugin-collection-sql plugin, the checkSQL() function contains an incomplete keyword blacklist. This flaw fails to restrict access to PostgreSQL system catalog tables, including pg shadow, pg roles, and pg stat activity. Consequently, a user with an admin role can utilize the SQL Collection feature to read database metadata and password hashes.
Recommendations Update to version 2.1.0-alpha.46.

Fix

Incomplete List of Disallowed Inputs

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-52888

Affected Products

@Nocobase/Plugin-Collection-Sql
Nocobase