Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A user‑supplied database host sent to NocoDB’s connection‑test endpoint opens a raw TCP socket to that host without any resolution or range validation. As a result, an attacker can force the server to connect to arbitrary IP addresses, including private, link‑local, and localhost addresses, enabling internal network discovery, data exfiltration, or leveraging the server as a proxy. This flaw is a classic input‑validation weakness (CWE‑918).

Affected Systems

The nocodb:nocodb product, NocoDB, in all versions before 2026.05.1 is vulnerable. Upgrading to 2026.05.1 or later resolves the issue.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is the publicly exposed connection‑test endpoint, which accepts any host string. Exploitation requires the attacker to trigger the endpoint with a crafted host. The risk is moderate but present.

Generated by OpenCVE AI on June 24, 2026 at 02:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.05.1 or later.
  • If an upgrade cannot be performed immediately, configure the connection‑test endpoint to reject or sandbox private and loopback hosts, or replace it with a patched version that implements range checks.
  • Apply network firewall or host‑based rules to block outbound traffic from the NocoDB process to private address ranges, limiting the potential SSRF impact.

Generated by OpenCVE AI on June 24, 2026 at 02:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w43h-r5m5-p832 NocoDB: Server-Side Request Forgery via Database Connection Host
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.
Title NocoDB: Server-Side Request Forgery via Database Connection Host
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:19:39.007Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47382

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)