Cyber Resilience

CVE-2026-28399

Medium

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 6.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-28399 is a medium-severity SQL Injection (CWE-89) vulnerability in Nocodb Nocodb. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28399 is a SQL injection vulnerability (CWE-89) affecting NocoDB, an open-source software platform for building databases as spreadsheets. In versions prior to 0.301.3, an authenticated user with the Creator role can inject arbitrary SQL code through the unit parameter of the DATEADD formula. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity and privileges.

An attacker with Creator role access can exploit this flaw over the network without user interaction by crafting a malicious DATEADD formula that executes arbitrary SQL. Successful exploitation enables full control over the underlying database, allowing unauthorized data access, modification, or deletion, as well as potential denial of service, given the high impacts on confidentiality, integrity, and availability.

The NocoDB security advisory (GHSA-45rp-9p97-h852) and release notes for version 0.301.3 confirm the issue has been patched by addressing the improper sanitization in the DATEADD formula's unit parameter. Security practitioners should upgrade to NocoDB 0.301.3 or later and review access controls for Creator roles to mitigate risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing NocoDB web app directly enables remote exploitation for initial access (T1190); arbitrary SQL execution on backend DB enables data collection from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24769Same product: Nocodb Nocodb
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89
CVE-2026-1476Shared CWE-89
CVE-2019-25526Shared CWE-89
CVE-2025-69365Shared CWE-89

Affected Assets

nocodb
nocodb
≤ 0.301.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation of user-supplied inputs like the DATEADD formula's unit parameter to block arbitrary SQL execution.

prevent

Mitigates the vulnerability through timely flaw remediation by patching NocoDB to version 0.301.3 or later, which addresses the improper sanitization.

prevent

Limits the impact of exploitation by enforcing least privilege on Creator roles, reducing the scope of unauthorized database access and modifications.

References