📄 Description (English)
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.
🤖 AI Executive Summary
NocoBase versions prior to 2.0.39 contain a critical SQL injection vulnerability in the queryParentSQL() function that allows attackers to execute arbitrary SQL commands through maliciously crafted primary key values. The vulnerability exploits unsafe string concatenation in recursive CTE queries, enabling complete database compromise for organizations using affected versions. Immediate patching to version 2.0.39 or later is essential given the availability of working exploits.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 13, 2026 00:18
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using NocoBase for business application development face critical risk, particularly in banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and energy sector operations. The vulnerability allows complete database compromise including customer data, financial records, and sensitive operational information. Organizations in the financial services sector are at highest risk due to regulatory requirements and data sensitivity. Telecom operators and e-commerce platforms using NocoBase for customer-facing applications are also significantly exposed.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Insurance
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all NocoBase instances in your environment and document their versions
2. Restrict database access permissions to NocoBase application accounts (principle of least privilege)
3. Implement network segmentation to isolate NocoBase instances from critical systems
4. Enable comprehensive SQL query logging and monitoring for suspicious patterns
5. Review recent database access logs for signs of exploitation
PATCHING GUIDANCE:
1. Upgrade NocoBase to version 2.0.39 or later immediately
2. Test patches in non-production environments first
3. Plan maintenance windows with minimal business impact
4. Verify patch application by checking version numbers post-deployment
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in API requests
2. Use database activity monitoring (DAM) solutions to detect anomalous SQL queries
3. Restrict user permissions to create records with special characters in primary key fields
4. Disable recursive eager loading features if not essential to operations
5. Implement input validation to reject primary key values containing SQL keywords or special characters
DETECTION RULES:
1. Monitor for SQL queries containing UNION, SELECT, DROP, INSERT, UPDATE, DELETE in recursive CTE contexts
2. Alert on primary key values containing quotes, semicolons, or SQL comment syntax (-- or /**/)
3. Track failed database queries followed by successful ones with unusual execution times
4. Monitor for multiple rapid requests to collections with recursive relationships
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات NocoBase في بيئتك وقثق إصداراتها
2. قيد أذونات الوصول إلى قاعدة البيانات لحسابات تطبيق NocoBase (مبدأ أقل امتياز)
3. طبق تقسيم الشبكة لعزل مثيلات NocoBase عن الأنظمة الحرجة
4. فعّل تسجيل المراقبة الشاملة لاستعلامات SQL والكشف عن الأنماط المريبة
5. راجع سجلات الوصول إلى قاعدة البيانات الحديثة للبحث عن علامات الاستغلال
إرشادات التصحيح:
1. قم بترقية NocoBase إلى الإصدار 2.0.39 أو أحدث فورًا
2. اختبر التصحيحات في بيئات غير الإنتاج أولاً
3. خطط نوافذ الصيانة بأقل تأثير على العمليات
4. تحقق من تطبيق التصحيح بفحص أرقام الإصدار بعد النشر
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكنًا):
1. طبق قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط حقن SQL في طلبات API
2. استخدم حلول مراقبة نشاط قاعدة البيانات (DAM) للكشف عن استعلامات SQL غير الطبيعية
3. قيد أذونات المستخدم لإنشاء سجلات بأحرف خاصة في حقول المفاتيح الأساسية
4. عطّل ميزات التحميل الحريص العودية إذا لم تكن ضرورية للعمليات
5. طبق التحقق من الإدخال لرفض قيم المفاتيح الأساسية التي تحتوي على كلمات SQL أو أحرف خاصة
قواعد الكشف:
1. راقب استعلامات SQL التي تحتوي على UNION أو SELECT أو DROP أو INSERT أو UPDATE أو DELETE في سياقات CTE العودية
2. أصدر تنبيهات لقيم المفاتيح الأساسية التي تحتوي على علامات اقتباس أو فواصل منقوطة أو بناء جملة تعليقات SQL
3. تتبع استعلامات قاعدة البيانات الفاشلة متبوعة بأخرى ناجحة بأوقات تنفيذ غير عادية
4. راقب الطلبات السريعة المتعددة للمجموعات ذات العلاقات العودية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for system development and maintenance
ECC 2024 A.14.2.5 - Secure development policy
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Monitoring of system use
🔵 SAMA CSF
SAMA CSF ID.GV-3 - Roles, responsibilities, and authorities are established
SAMA CSF PR.DS-6 - Data is protected from unauthorized access and corruption
SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events
SAMA CSF RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
ISO 27001:2022 A.8.1 - Organizational controls for information security
ISO 27001:2022 A.14.2.1 - Secure development policy and procedures
ISO 27001:2022 A.14.2.5 - Secure development environment
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure that all system components and software are protected from known vulnerabilities
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 10.2 - Implement automated audit trails for all access to cardholder data
🔗 References & Sources 5
🔗
https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604
security-advisories@github.com
Patch
🔗
https://github.com/nocobase/nocobase/pull/9133
security-advisories@github.com
Issue Tracking
Patch
🔗
https://github.com/nocobase/nocobase/releases/tag/v2.0.39
security-advisories@github.com
Patch
Release Notes
🔗
https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 1 entries
nocobase:nocobase