CVE-2026-47375

描述

### Summary An authenticated user with `columnAdd` permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional `direction` argument of `ARRAYSORT(...)`. The value is unrestricted by formula validation and embedded into a `knex.raw` `ORDER BY` clause, executing during column creation and on every subsequent record read of the formula column. ### Details The vulnerability is specific to the Postgres mapping for `ARRAYSORT` in `packages/nocodb/src/db/functionMappings/pg.ts`. Two factors combine: 1. `ARRAYSORT` declares only argument count, not `validation.args.type`, so `validate-extract-tree.ts` does not enforce an allowlist on the second argument. 2. The Postgres mapping then passes the attacker-controlled value through `sanitize(knex.raw(...))` into a raw SQL fragment: ```ts const direction = pt.arguments[1] ? sanitize( knex.raw(pt.arguments[1]?.value ?? (await fn(pt.arguments[1])).builder), ) : knex.raw('asc'); return { builder: knex.raw(`ARRAY(SELECT UNNEST(??) ORDER BY 1 ??)`, [source, direction]), }; ``` `sanitize()` in `sqlSanitize.ts` only escapes `?` placeholder characters; it does not validate SQL syntax. A payload such as `"desc, (SELECT COUNT(*) FROM generate_series(1,30000000))"` is accepted, persisted, and re-executed on every read of the formula column. ### Impact - Authenticated SQL injection against Postgres-backed bases. - Requires `columnAdd` permission (creator/owner-level). - Proven impact: attacker-controlled heavy SQL causing multi-second query stalls (DoS). - Potentially extendable to broader SQL injection outcomes depending on database permissions and deployment hardening. - Limited to Postgres backends. ### Credit This issue was reported by [@leduckhuong](https://github.com/leduckhuong).

如何修補 CVE-2026-47375

要修補 CVE-2026-47375,請將受影響套件升級到下列已修補版本。

• —升級至 2026.04.1 或更新版本

CVE-2026-47375 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47375 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)