External risk intelligence

NocoBase In-App Message Plugin SQL Injection Leads to Command Execution.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-52887

NocoBase is a web-based application platform intended for business operations and enterprise solutions. As a platform for building web applications, these services are commonly deployed as internet-facing web portals or API endpoints to allow access for users and application integrations, making the underlying API surface likely to be reachable from the internet in common deployments.

SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the NocoBase application development platform. The flaw could allow authenticated users to execute arbitrary commands on the underlying server by sending specially crafted requests. Given NocoBase's role in building business applications, this type of vulnerability could have significant implications if exploited, potentially leading to unauthorized access or control of sensitive systems.

  • A flaw lets users run commands on the server.
  • It impacts business apps built with NocoBase.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An authenticated user of NocoBase can exploit a flaw in the in-app messaging feature to execute arbitrary PostgreSQL commands. By sending a specially crafted GET request to the `/api/myInAppChannels:list` endpoint, an attacker can manipulate the `filter[latestMsgReceiveTimestamp][$lt]` parameter. This parameter is directly embedded into a database query without proper sanitization, allowing the injection of additional SQL statements, including commands to run operating system processes.

  • Entry condition: Authenticated user.
  • Trigger point: Malicious GET request to API.
  • Resulting risk: Command execution on server.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an authenticated user could potentially execute arbitrary commands on the server. This could impact system data and service behavior by allowing unauthorized command execution.

  • Server data and system commands at risk.
  • Arbitrary command execution possible.
  • Potential for unauthorized access.

Operational Fix

Recommended remediation, mitigation, and detection steps

For NocoBase deployments, application owners or platform teams are likely responsible for addressing this vulnerability. The first practical step is to identify all NocoBase instances, confirm their reachability and business criticality, and then determine the accountable owner for remediation planning.

  • App owners and platform teams should lead.
  • Verify NocoBase instances and their exposure.
  • Plan and coordinate remediation efforts.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is NocoBase?

NocoBase is a no-code and low-code development platform powered by AI, used by organizations to rapidly build and deploy custom business applications and enterprise-grade software solutions. Because it acts as a foundation for operational workflows, it manages significant data and provides the core logic for the internal and external tools built upon it.

How does CVE-2026-52887 allow command execution?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command (SQL Injection). Specifically, the platform's in-app messaging plugin fails to properly sanitize user input, allowing an attacker to inject their own PostgreSQL commands. Because the system improperly embeds these inputs into query templates, it can inadvertently execute unauthorized database commands, including those that interact with the underlying operating system.

Do I need to be an administrator to trigger this bug?

No, you do not need administrative rights, but the vulnerability requires an authenticated session. An attacker must be a signed-up user within the NocoBase platform to access and manipulate the /api/myInAppChannels:list endpoint. Requests that are not authenticated, or those that do not specifically target the vulnerable filter parameter, will not trigger this command execution flaw.

Is my NocoBase instance at risk?

Halo Surface Signal notes that NocoBase instances are frequently deployed as internet-facing web portals or API endpoints to support business integrations. If your instance is reachable from the internet, it presents a broader attack surface. You should prioritize assessing your environment if your NocoBase installation is accessible externally or handles sensitive business logic.

When should I update NocoBase to fix this?

You should plan to update immediately. The first step is to inventory all NocoBase instances within your environment and verify their current version. If you are running any version prior to 2.0.61, your system is vulnerable. Coordinate with your platform or application owners to apply the 2.0.61 update, which specifically addresses the insecure query handling in the in-app message plugin.

References