Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/…) also satisfy that check, so a crafted link silently redirected visitors to an attacker-controlled origin. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB is a tool for building databases as spreadsheets. Before version 2026.04.1, a client‑side hashRedirect plugin parsed the hash fragment of the URL, extracted a path, and then called window.location.replace() after only verifying that the path began with a forward slash. Because that check also accepts protocol‑relative URLs such as //att raise the browser to the attacker’s domain without user interaction. This flaw allows an attacker to craft a link that silently redirects visitors to an arbitrary origin. The vulnerability was remedied in 2026.04.1 and does not enable code execution; it represents a standard open‑redirect weakness (CWE‑601).

Affected Systems

The flaw resides in the NocoDB application itself, specifically before the release of version 2026.04.1. NocoDB is developed by nocodb and the entire web client includes the hashRedirect plugin for redirect handling.

Risk and Exploitability

The CVSS score of 5.1 denotes moderate severity, while EPSS data is not available and the issue is not listed in CISA’s KEV catalog. Exploitation requires only a crafted link that contains a protocol‑relative URL in the hash fragment; no special privileges or additional conditions are needed. The attack vector is principally social‑engineering or phishing, causing users to be redirected to malicious sites. The risk centers on user trust loss and potential credential compromise, rather than direct compromise of the host system.

Generated by OpenCVE AI on June 24, 2026 at 09:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later, where the hashRedirect plugin correctly validates redirect targets
  • If upgrading immediately is not possible, remove or disable the hashRedirect plugin until the patch is applied
  • Implement a WAF rule to block protocol‑relative URLs in hash fragments from the client side, preventing accidental redirects until a code change can be made

Generated by OpenCVE AI on June 24, 2026 at 09:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rvp5-9p55-f5rp NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
History

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/…) also satisfy that check, so a crafted link silently redirected visitors to an attacker-controlled origin. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T14:42:21.097Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47377

cve-icon Vulnrichment

Updated: 2026-06-24T14:42:15.919Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')