Vulnerability  ·  2026-07-17

NocoBase AI-Powered No-Code Platform — Unauthenticated Time-Based SQL Injection

VulnerabilityHigh impactGlobalCVE-2026-52887
NocoBase's in-app notification plugin exposed a public list endpoint whose timestamp filter parameter is directly inserted into a SQL query, permitting unauthenticated blind SQL injection.
NocoBase is marketed as an AI-powered application builder used for building business/enterprise apps; unauthenticated SQL injection with CVSS 10.0 can lead to full database compromise of any application built on the affected platform.
The GET /api/myInAppChannels:list endpoint inserts the filter[latestMsgReceiveTimestamp][$lt] value into a SQL query without sanitization, letting an unauthenticated attacker perform time-based blind SQL injection against the underlying database.
NocoBase @nocobase/plugin-notification-in-app-message, prior to 2.0.61
Upgrade to NocoBase 2.0.61 or later.
NVD CVE-2026-52887NocoBase GitHub commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →