CVE-2026-28399

High

Published: 02 March 2026

Published

02 March 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 22.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28399 is a high-severity SQL Injection (CWE-89) vulnerability in Nocodb Nocodb. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by requiring validation of user-supplied inputs like the DATEADD formula's unit parameter to block arbitrary SQL execution.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability through timely flaw remediation by patching NocoDB to version 0.301.3 or later, which addresses the improper sanitization.

AC-6 Least Privilege partial match

prevent

Limits the impact of exploitation by enforcing least privilege on Creator roles, reducing the scope of unauthorized database access and modifications.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing NocoDB web app directly enables remote exploitation for initial access (T1190); arbitrary SQL execution on backend DB enables data collection from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.

Deeper analysisAI

CVE-2026-28399 is a SQL injection vulnerability (CWE-89) affecting NocoDB, an open-source software platform for building databases as spreadsheets. In versions prior to 0.301.3, an authenticated user with the Creator role can inject arbitrary SQL code through the unit parameter of the DATEADD formula. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity and privileges.

An attacker with Creator role access can exploit this flaw over the network without user interaction by crafting a malicious DATEADD formula that executes arbitrary SQL. Successful exploitation enables full control over the underlying database, allowing unauthorized data access, modification, or deletion, as well as potential denial of service, given the high impacts on confidentiality, integrity, and availability.

The NocoDB security advisory (GHSA-45rp-9p97-h852) and release notes for version 0.301.3 confirm the issue has been patched by addressing the improper sanitization in the DATEADD formula's unit parameter. Security practitioners should upgrade to NocoDB 0.301.3 or later and review access controls for Creator roles to mitigate risk.