CVE-2026-46547

CVE-2026-46547 (NocoDB) is a reflected XSS in the Page Leaving Warning page. The issue arises because the query parameters ncRedirectUrl and ncBackUrl are used in window.location.href and in an tag href without proper validation, allowing javascript: URI injection. Exploitation could enable arbi...

CVE-2026-46548

NocoDB (CVE-2026-46548 ) exhibits an SSRF protection bypass in the notification webhook plugins for Slack, Discord, Mattermost, and Teams. Root cause: in the affected code paths, the httpAgent/httpsAgent were incorrectly placed in the request body of axios.post instead of the config argument, all...

CVE-2026-46549

CVE-2026-46549 affects NocoDB. Prior to version 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware did not enforce them. This allowed an OAuth token with a restricted scope to inherit the underlying user’s full permissi...

CVE-2026-46550

NocoDB’s CVE-2026-46550 concerns the refresh-token cookie being set with httpOnly but without Secure and SameSite attributes prior to 2026.04.1. The root cause is in setTokenCookie(), which emitted a cookie with only httpOnly (and possibly domain), leaving it vulnerable to interception over HTTP ...

CVE-2026-46553

CVE-2026-46553 affects NocoDB prior to 2026.04.1, where the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote file’s Content-Length or the decoded length of a data: URI. This allowed an authenticated user with upload permissions to bypass the configured per-file size ...

CVE-2026-47375

CVE-2026-47375 (NocoDB) : A Postgres-backed deployment is vulnerable to authenticated SQL injection through the ARRAYSORT formula when a user with columnAdd permission supplies a malicious second argument. The issue arises because the attacker-controlled value is embedded into a knex.raw ORDER BY...

CVE-2026-47376

CVE-2026-47376 (NocoDB) describes a reflected XSS on the password-reset flow. Before 2026.04.1, the token from the password-reset URL was directly embedded into a JavaScript string in a server-rendered EJS template, which does not escape single quotes or backslashes. This allowed an attacker-cont...

CVE-2026-47377

NocoDB before 2026.04.1 is vulnerable to an open redirect via the client-side hashRedirect plugin. The plugin constructs a URL from the hash fragment and uses window.location.replace, and it accepts protocol-relative paths (e.g., //attacker.com/…), enabling silent redirection to attacker-controll...

CVE-2026-47378

CVE-2026-47378 concerns NocoDB, where before 2026.04.1 public shared-view endpoints could expose hidden-column values through three paths: (1) groupBy could return raw values for any column named in the request, (2) filter and sort arrays operated on hidden columns allowed boolean-blind extractio...

CVE-2026-47380

CVE-2026-47380 affects NocoDB. The vulnerability stems from an unknown-user sign-in path in auth.service.ts where the unknown-user branch returned without a password hash check, causing timing differences between known and unknown emails. This could enable network-positioned attackers to enumerat...

CVE-2026-46551

CVE-2026-46551 affects NocoDB’s v1/v2 attachment API upload-by-url. Before 2026.04.4, the uploadViaURL path did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or response stream. The HEAD probe read content-length but wasn’t compared to the limit, and storageAdapter.fileCr...

CVE-2026-46554

NocoDB prior to 2026.04.4 is affected by a stale-auth-cache issue: when an API token is deleted, the auth cache entry keyed by the token value is not evicted, allowing the token to continue authenticating until the cache entry expires. This creates a deletion-to-revocation window of up to three d...

CVE-2026-47382

CVE-2026-47382 concerns NocoDB, where the connection-test endpoint allowed SSRF by opening a raw TCP socket to a user-supplied database host without DNS resolution and range checks. This could reach private/link-local addresses (including IPv4-mapped IPv6 and localhost) before a fix. The issue is...

CVE-2026-47379

CVE-2026-47379 – NocoDB : The shared-view password check used a strict-equality comparison for legacy plaintext passwords, leaking the password length and per-character prefix via response timing. The bcrypt branch was unaffected; the vulnerability lies in the legacy comparison path in the shared...

CVE-2026-47381

CVE-2026-47381 affects NocoDB prior to 2026.05.1, where a user in one workspace could abuse the testConnection endpoint to access another workspace’s integration due to the integration being fetched in a bypass scope and permission checks being evaluated against any base in any workspace. The iss...

CVE-2026-47387

NocoDB (the issue CVE-2026-47387) has a stored XSS due to the shared form-view redirect_url handling. The vulnerable sink in packages/nc-gui/composables/useSharedFormViewStore.ts validates only string/non-empty redirect_url and fails to validate URL schemes, causing non-network schemes (e.g., jav...

CVE-2026-47388

NocoDB is affected by CVE-2026-47388: Missing ownership check in MCP Attachment Read allows a low-privilege MCP token holder with knowledge of an attachment path to read files in shared storage (including attachments from other bases/workspaces). The issue arises because readAttachment did not ve...

CVE-2026-53926

NocoDB vulnerability CVE-2026-53926: prior to 2026.05.1, revokeAllOAuthTokensByUser was an empty stub used by passwordChange, passwordForgot, and passwordReset, so OAuth access and refresh tokens were not revoked after a password change/reset, allowing an attacker-issued token to remain valid. Th...

CVE-2026-53927

CVE-2026-53927 affects NocoDB's spreadsheet-fetch endpoint (axiosRequestMake), where URLs with a permitted extension anywhere in the path could bypass the initial blocklist of 127.0.0.0/8 and 169.254.0.0/16 and reach the cloud-metadata endpoint. The issue allowed authenticated editors to access i...

CVE-2026-53930

The CVE describes a Server-Side Request Forgery in NocoDB via the base-migration endpoint. A caller-supplied migration URL could be dereferenced by the migration worker without enforcing protocol or destination, enabling scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations. ...