Medium severity6.0NVD Advisory· Published Jun 5, 2026

NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`

CVE-2026-47375

Description

Summary

An authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column.

Details

The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. Two factors combine:

ARRAYSORT declares only argument count, not validation.args.type, so validate-extract-tree.ts does not enforce an allowlist on the second argument.
The Postgres mapping then passes the attacker-controlled value through sanitize(knex.raw(...)) into a raw SQL fragment:

const direction = pt.arguments[1]
  ? sanitize(
      knex.raw(pt.arguments[1]?.value ?? (await fn(pt.arguments[1])).builder),
    )
  : knex.raw('asc');

return {
  builder: knex.raw(`ARRAY(SELECT UNNEST(??) ORDER BY 1 ??)`, [source, direction]),
};

sanitize() in sqlSanitize.ts only escapes ? placeholder characters; it does not validate SQL syntax. A payload such as "desc, (SELECT COUNT(*) FROM generate_series(1,30000000))" is accepted, persisted, and re-executed on every read of the formula column.

Impact

Authenticated SQL injection against Postgres-backed bases.
Requires columnAdd permission (creator/owner-level).
Proven impact: attacker-controlled heavy SQL causing multi-second query stalls (DoS).
Potentially extendable to broader SQL injection outcomes depending on database permissions and deployment hardening.
Limited to Postgres backends.

Credit

This issue was reported by @leduckhuong.

Affected products

Nocodb/Nocodbllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The formula engine does not properly validate the `direction` argument of the `ARRAYSORT` function, allowing arbitrary SQL injection."

Attack vector

An authenticated user with `columnAdd` permission can exploit this vulnerability by providing a malicious string as the `direction` argument to the `ARRAYSORT` function. This value is directly embedded into a raw SQL `ORDER BY` clause without sufficient sanitization. The injected SQL executes during column creation and on every subsequent read of the formula column, potentially leading to denial-of-service conditions by causing query stalls [ref_id=1].

Affected code

The vulnerability resides in the Postgres mapping for the `ARRAYSORT` function, located in `packages/nocodb/src/db/functionMappings/pg.ts`. Specifically, the code passes the `direction` argument through `sanitize(knex.raw(...))` into a raw SQL fragment without adequate validation [ref_id=1].

What the fix does

The advisory indicates that the vulnerability is addressed by a release tagged `2026.04.1` [ref_id=1]. While a specific patch is not provided, the fix likely involves implementing stricter validation for the `direction` argument within the `ARRAYSORT` function's Postgres mapping to prevent arbitrary SQL code execution.

Preconditions

authThe attacker must be authenticated.
authThe attacker must possess `columnAdd` permission on a Postgres-backed base.
configThe affected base must be configured to use a Postgres database.

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

Nocodb: 14 Vulnerabilities Disclosed Together, Including XSS and SQL Injection
Vypr Intelligence · Jun 5, 2026

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000