Cyber Resilience

CVE-2026-41640

HighPublic PoC

Published: 07 May 2026

Published
07 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0187 76.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41640 is a high-severity SQL Injection (CWE-89) vulnerability in Nocobase Nocobase. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Data-Related Vulnerabilities risk domain.

Deeper analysis

NocoBase, an AI-powered no-code/low-code platform, is affected by a SQL injection vulnerability (CWE-89) in the queryParentSQL() function of its core database package prior to version 2.0.39. The function builds a recursive CTE by concatenating values from a nodeIds array directly into the query string rather than using parameterized queries, where the array contents are primary keys retrieved from existing database rows.

An attacker with low privileges who can insert a record containing a malicious string primary key can trigger arbitrary SQL execution whenever a subsequent operation performs recursive eager loading against the affected collection. The CVSS 7.5 vector reflects network attack reachability with high complexity but full impact on confidentiality, integrity, and availability.

The issue is addressed in the v2.0.39 release, as documented in the corresponding GitHub commit, pull request, and security advisory GHSA-4948-f92q-f432, which recommend upgrading to the patched version. The associated EPSS score has remained flat at 0.0550 with no indicated rise after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized…

more

queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct SQL injection in public-facing web app via unparameterized query construction enables remote exploitation of the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41641Same product: Nocobase Nocobase
CVE-2026-34156Same product: Nocobase Nocobase
CVE-2026-22687Shared CWE-89
CVE-2026-30860Shared CWE-89
CVE-2024-10835Shared CWE-89
CVE-2026-32628Shared CWE-89
CVE-2026-2993Shared CWE-89
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89

Affected Assets

nocobase
nocobase
≤ 2.0.39

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References