CVE-2026-47385

CVE-2026-47385 (NocoDB) : An authenticated user with base-create permission can attach a SQLite source that points to an arbitrary file on the host, bypassing location restrictions in the SQLite client and base-create services. This can target internal databases (e.g., noco.db or tenant databases...

CVE-2026-47385

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration creat...

CVE-2026-47386

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid accesstoken, refreshtoken pair, breaking the single-use guarantee that PKCE relies on. This vulnerability ...

CVE-2026-47387

NocoDB (the issue CVE-2026-47387) has a stored XSS due to the shared form-view redirect_url handling. The vulnerable sink in packages/nc-gui/composables/useSharedFormViewStore.ts validates only string/non-empty redirect_url and fails to validate URL schemes, causing non-network schemes (e.g., jav...