MEDIUM

GHSA-45rp-9p97-h852

NocoDB Vulnerable to SQL Injection via DATEADD Formula

Details

### Summary An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter.

### Details The third argument (unit) of `DATEADD` was interpolated directly into `knex.raw()` queries after only stripping quote characters. Validation in `formulas.ts` only checked `Literal` AST node types — non-Literal types bypassed validation entirely. Affected MySQL, PostgreSQL, and SQLite function mappings.

### Impact SQL injection allowing data exfiltration or modification, scoped to the connected database.

### Credit This issue was reported by [@q1uf3ng](https://github.com/q1uf3ng).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / nocodb

Introduced in: 0 Fixed in: 0.301.3

Fix npm install nocodb@0.301.3

References

https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-28399 [ADVISORY]
https://github.com/nocodb/nocodb [PACKAGE]
https://github.com/nocodb/nocodb/releases/tag/0.301.3 [WEB]