Critical SQL Injection Vulnerability in NocoBase (CVE-2026-52887)

Critical SQL Injection Vulnerability in NocoBase (CVE-2026-52887)

First seen 16 Jul 2026, 09:23 UTC Feedlycve.akaoma.comvulners.com 78% similarity 84.3

Article Content

Browse articles
ThreatCluster

CVE-2026-52887 is a critical SQL injection vulnerability affecting NocoBase, an AI-powered no-code/low-code platform. The flaw allows unauthenticated remote attackers to execute arbitrary SQL queries via the `latestMsgReceiveTimestamp` parameter in the `/api/myInAppChannels` endpoint. This vulnerability, which has a CVSS score of 10, could lead to unauthorized access, modification, or deletion of database contents. Currently, there is no evidence of public proof-of-concept or active exploitation. Users are advised to upgrade NocoBase to version 2.0.61 or later and implement input validation and parameterized queries to mitigate the risk. The vulnerability was published on July 15, 2026, and is categorized under CWE-89 for improper neutralization of special elements used in SQL commands.

Key Points: • CVE-2026-52887 is a critical SQL injection vulnerability with a CVSS score of 10. • Unauthenticated attackers can exploit this flaw to execute arbitrary SQL queries remotely. • Immediate upgrade to NocoBase version 2.0.61 or later is recommended to mitigate risks.

ThreatCluster AI

Timeline

2026-07-15
CVE-2026-52887 published
NocoBase disclosed a critical SQL injection vulnerability affecting its notification component.
NVD
2026-07-16
Security advisories issued
Advisories recommend upgrading NocoBase and implementing security measures to prevent exploitation.
Feedly
2026-07-16
Critical risk assessment
Experts classify CVE-2026-52887 as a catastrophic security flaw demanding immediate intervention.
cve.akaoma.com

Community

Browse all →