GHSA-p8wx-5f39-w3x4
NocoDB: SQL Injection via Column Title in Bulk GroupBy
Details
### Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.
### Details The bulk groupBy path in `group-by.ts` builds three database-specific `knex.raw()` aggregations that interpolate the request's `column_name` directly into the SQL string. Column lookup in `data-table.service.ts` matches on both the sanitized `column_name` field and the free-text `title`, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped.
### Impact SQL injection against the connected database with read access to any expression an attacker can place in a column title. Exploitation requires an authenticated session with permission to create or rename columns.
### Credit This issue was reported by [@geo-chen](https://github.com/geo-chen).
Are you affected?
Enter the version of the package you're using.