Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/…) also satisfy that check, so a crafted link silently redirected visitors to an attacker-controlled origin. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A client‑side plugin in NocoDB uses window.location.replace to act on a URL fragment that begins with a forward slash. The plugin validates only that the fragment starts with "/", which also accepts protocol‑relative URLs such as //attacker.com/. When such a fragment is present, the browser interprets it as a relative path and redirects the browser to the attacker’s site without user awareness. This vulnerability is a CWE‑601 open redirect flaw. The flaw does not provide code execution or direct control, but it can lead to phishing, credential theft, or drive‑by downloads through social‑engineering of users who click a malicious link.

Affected Systems

The vulnerability exists in the NocoDB application itself, specifically in versions released before 2026.04.1. NocoDB is developed by nocodb and the affected product is the full application where the hashRedirect plugin is enabled.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity; EPSS data is not available, and the issue is not listed in CISA’s KEV catalog. Exploitation requires only a crafted link containing a hash fragment that points to a protocol‑relative URL; any user who clicks the link will be redirected. No special privileges are needed, and the attack relies mainly on social‑engineering or phishing vectors. The risk lies mainly in the loss of user trust and potential credential compromise rather than direct compromise of the host system.

Generated by OpenCVE AI on June 24, 2026 at 02:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later, where the hashRedirect plugin correctly validates redirect targets
  • If upgrading immediately is not possible, remove or disable the hashRedirect plugin until the patch is applied
  • Implement a WAF rule to block protocol‑relative URLs in hash fragments from the client side, preventing accidental redirects until a code change can be made

Generated by OpenCVE AI on June 24, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rvp5-9p55-f5rp NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/…) also satisfy that check, so a crafted link silently redirected visitors to an attacker-controlled origin. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:35:06.569Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47377

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')