NocoDB SQL Injection via Date Formula

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

NocoDB SQL Injection via Date Formula

CVE-2026-28399 GHSA-45rp-9p97-h852 GHSA-45rp-9p97-h852

Summary

An authenticated user with Creator role can inject malicious code into NocoDB's database, potentially allowing them to steal or modify data. This is a serious issue because it allows unauthorized access to sensitive information. To protect your data, update to the latest version of NocoDB.

What to do

Update pranavxc nocodb to version 0.301.3.

Affected software

Vendor	Product	Affected versions	Fix available
pranavxc	nocodb	<= 0.301.2	0.301.3
nocodb	nocodb	<= 0.301.3	–
pranavxc	nocodb	<= 0.301.3	0.301.3

Original title

NocoDB Vulnerable to SQL Injection via DATEADD Formula

Original description

### Summary
An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter.

### Details
The third argument (unit) of `DATEADD` was interpolated directly into `knex.raw()` queries after only stripping quote characters. Validation in `formulas.ts` only checked `Literal` AST node types — non-Literal types bypassed validation entirely. Affected MySQL, PostgreSQL, and SQLite function mappings.

### Impact
SQL injection allowing data exfiltration or modification, scoped to the connected database.

### Credit
This issue was reported by [@q1uf3ng](https://github.com/q1uf3ng).

nvd CVSS3.1 8.8

nvd CVSS4.0 6.2

Vulnerability type

CWE-89 SQL Injection

https://github.com/nocodb/nocodb/releases/tag/0.301.3 Product Release Notes
https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852 Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-28399
https://github.com/advisories/GHSA-45rp-9p97-h852
https://github.com/nocodb/nocodb Product

Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026