428 matches found
CVE-2026-53931
NocoDB: Server-Side Request Forgery via the spreadsheet-import endpoint (axiosRequestMake) allowed unauthenticated use as a generic HTTP proxy prior to 2026.05.1, enabling potentially unintended requests to internal destinations. The issue is fixed in 2026.05.1. The GHSA/OSV/PT-Security disclosur...
NPM: NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
NPM: NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...
NPM: NocoDB: Server-Side Request Forgery via Base Migration URL
NPM: NocoDB: Server-Side Request Forgery via Base Migration URL vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...
NPM: NocoDB: Stored Cross-Site Scripting via Secure Attachment
NPM: NocoDB: Stored Cross-Site Scripting via Secure Attachment vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...
NPM: NocoDB: Refresh Tokens Persist Through Password Recovery
NPM: NocoDB: Refresh Tokens Persist Through Password Recovery vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...
NPM: NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
NPM: NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
Summary The spreadsheet-fetch endpoint axiosRequestMake accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL...
Insufficient Session Expiration
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to revoke OAuth tokens in the revokeAllOAuthTokensByUser process after password change, reset, or recovery. An attacker can maintain unauthorized access by continuing...
GHSA-G72G-R7M4-9X4G NocoDB: OAuth Tokens Persist Through Security Events
Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. Details revokeAllOAuthTokensByUser in the users service was an empty stub bein...
Authorization Bypass Through User-Controlled Key
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the readAttachment tool. An attacker can access files in the shared storage belonging to other users by supplying a known attachment path and a valid MCP token...
GHSA-XXPJ-Q764-9R6Q NocoDB: Missing Ownership Check in MCP Attachment Read
Summary A low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. Details The MCP readAttachment tool accepts...
NocoDB: Stored Cross-Site Scripting via Form View Redirect URL
Summary The shared form-view submit handler in NocoDB writes the form's redirecturl to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role or above on any base can plant a javascript: URL in the form's redirecturl; when an authenticated view...
Race Condition
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Race Condition through a race condition in the OAuth token exchange. An attacker can obtain multiple valid token pairs by making concurrent requests using the same authorization code and PKCE verifier. Remediation...
Directory Traversal
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Directory Traversal in the process that handles SQLite source filenames. An attacker can gain unauthorized access to or modify internal application data by supplying a crafted filename that points to arbitrary files...
GHSA-WVQJ-9WV4-7FF5 NocoDB: Path Traversal via SQLite Source Filename
Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. Details The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to...
SQL Injection
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to SQL Injection via the bulk groupBy. An authenticated attacker can execute arbitrary SQL commands by setting a column's title to a crafted SQL fragment, which is then interpolated into a database query without proper...
GHSA-JF3G-4GWG-4H66 NocoDB: Stored Cross-Site Scripting via Row Comments
Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. Details The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered...
Server-side Request Forgery (SSRF)
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the connection-test endpoint. An authenticated attacker can access internal network resources by supplying a crafted database host value when testing database connections...
GHSA-W43H-R5M5-P832 NocoDB: Server-Side Request Forgery via Database Connection Host
Summary The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses including IPv4-mapped IPv6 forms and localhost reached the driver. Details A new validateDbConnectionHost helpe...
User Impersonation
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to User Impersonation via the testConnection endpoint when the integration is fetched in a bypass scope and permission checks are insufficiently scoped to the integration's workspace. An attacker can gain unauthorized...