CVE-2026-24766 - Vulnerability Details

- NocoDB Vulnerable to Prototype Pollution in Connection Test Endpoint, Leading to DoS

Description

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue.

Published: 2026-01-28

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a prototype pollution flaw in the /api/v2/meta/connection/test endpoint that can be triggered by an authenticated user with org‑level‑creator permissions. After the pollution occurs, every database write operation fails across the entire application until the server is restarted, effectively preventing data persistence. The weakness is classified as CWE‑1321.

Affected Systems

NocoDB, software used for building databases as spreadsheets. All versions running before 0.301.0 are affected, regardless of environment or deployment. The vulnerability does not affect other vendors or unrelated products.

Risk and Exploitability

The CVSS score of 4.9 places it in the low severity range, and the EPSS score of less than 1% indicates a very low but non‑zero likelihood of exploitation in the wild. NocoDB is not currently listed in the CISA KEV catalog. An attacker must authenticate as an org‑level‑creator, which limits the attack surface; however, once authenticated, the attacker can cause a denial of service by corrupting prototype data, requiring a server restart to regain normal operation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nocodb

affected

Version	Status	Constraints
`< 0.301.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Nocodb	Nocodb	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade NocoDB to version 0.301.0 or later where the prototype pollution is fixed.
Revoke org‑level‑creator permissions for users who do not require them and enforce stricter role‑based access controls.
Monitor application and HTTP logs for frequent or abnormal use of the /api/v2/meta/connection/test endpoint and apply rate limiting or temporary blocking if suspicious activity is detected.

Generated by OpenCVE AI on April 18, 2026 at 01:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-95ff-46g6-6gw9	NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00172.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9

History

Wed, 04 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:nocodb:nocodb::::::::

Fri, 30 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 29 Jan 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nocodb Nocodb nocodb
Vendors & Products		Nocodb Nocodb nocodb

Wed, 28 Jan 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue.
Title		NocoDB Vulnerable to Prototype Pollution in Connection Test Endpoint, Leading to DoS
Weaknesses		CWE-1321
References		https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Nocodb Nocodb

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-28T20:27:42.819Z

Updated: 2026-01-29T18:01:30.160Z

Reserved: 2026-01-26T21:06:47.868Z

Link: CVE-2026-24766

Vulnrichment

Updated: 2026-01-29T16:03:36.099Z

NVD

Status : Analyzed

Published: 2026-01-28T21:16:12.103

Modified: 2026-02-04T20:06:08.177

Link: CVE-2026-24766

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses

CWE-1321

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object