CVE-2026-41640
Published: 07 May 2026
Summary
CVE-2026-41640 is a high-severity SQL Injection (CWE-89) vulnerability in Nocobase Nocobase. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Data-Related Vulnerabilities risk domain.
Deeper analysis
NocoBase, an AI-powered no-code/low-code platform, is affected by a SQL injection vulnerability (CWE-89) in the queryParentSQL() function of its core database package prior to version 2.0.39. The function builds a recursive CTE by concatenating values from a nodeIds array directly into the query string rather than using parameterized queries, where the array contents are primary keys retrieved from existing database rows.
An attacker with low privileges who can insert a record containing a malicious string primary key can trigger arbitrary SQL execution whenever a subsequent operation performs recursive eager loading against the affected collection. The CVSS 7.5 vector reflects network attack reachability with high complexity but full impact on confidentiality, integrity, and availability.
The issue is addressed in the v2.0.39 release, as documented in the corresponding GitHub commit, pull request, and security advisory GHSA-4948-f92q-f432, which recommend upgrading to the patched version. The associated EPSS score has remained flat at 0.0550 with no indicated rise after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28261
Vulnerability details
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized…
more
queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct SQL injection in public-facing web app via unparameterized query construction enables remote exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.