Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in NocoDB’s connection‑test endpoint, which creates a raw TCP socket to the database host supplied by the user. The endpoint fails to resolve or range‑check the host, allowing the server to connect to private, link‑local, or localhost addresses, including IPv4‑mapped IPv6 forms. This flaw enables an attacker to force the NocoDB process to initiate outbound connections to arbitrary IP addresses, exposing the server to potential internal network access and data leakage.

Affected Systems

NocoDB, the web‑based spreadsheet‑style database builder (nocodb:nocodb), is affected in all releases before 2026.05.1. Upgrading to 2026.05.1 or later incorporates the SSRF fix.

Risk and Exploitability

The CVSS score of 5.3 signifies moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the publicly exposed connection‑test endpoint, which accepts any host string. Exploitation requires an attacker to trigger the endpoint with a crafted host value; once triggered, the server will open a socket to the specified address.

Generated by OpenCVE AI on June 24, 2026 at 13:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.05.1 or later to apply the official SSRF fix.
  • Configure network firewall or host‑based rules to block outbound traffic from the NocoDB process to private address ranges, limiting potential SSRF impact.
  • Implement application‑level host validation for the database host field to restrict connections to trusted external services only.

Generated by OpenCVE AI on June 24, 2026 at 13:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w43h-r5m5-p832 NocoDB: Server-Side Request Forgery via Database Connection Host
History

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.
Title NocoDB: Server-Side Request Forgery via Database Connection Host
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:15:48.344Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47382

cve-icon Vulnrichment

Updated: 2026-06-24T13:15:39.779Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:15:15Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)