Impact
NocoDB is a tool for building databases as spreadsheets. Before version 2026.04.1, a client‑side hashRedirect plugin parsed the hash fragment of the URL, extracted a path, and then called window.location.replace() after only verifying that the path began with a forward slash. Because that check also accepts protocol‑relative URLs such as //att raise the browser to the attacker’s domain without user interaction. This flaw allows an attacker to craft a link that silently redirects visitors to an arbitrary origin. The vulnerability was remedied in 2026.04.1 and does not enable code execution; it represents a standard open‑redirect weakness (CWE‑601).
Affected Systems
The flaw resides in the NocoDB application itself, specifically before the release of version 2026.04.1. NocoDB is developed by nocodb and the entire web client includes the hashRedirect plugin for redirect handling.
Risk and Exploitability
The CVSS score of 5.1 denotes moderate severity, while EPSS data is not available and the issue is not listed in CISA’s KEV catalog. Exploitation requires only a crafted link that contains a protocol‑relative URL in the hash fragment; no special privileges or additional conditions are needed. The attack vector is principally social‑engineering or phishing, causing users to be redirected to malicious sites. The risk centers on user trust loss and potential credential compromise, rather than direct compromise of the host system.
OpenCVE Enrichment
Github GHSA