Impact
The vulnerability arises in NocoDB’s connection‑test endpoint, which creates a raw TCP socket to the database host supplied by the user. The endpoint fails to resolve or range‑check the host, allowing the server to connect to private, link‑local, or localhost addresses, including IPv4‑mapped IPv6 forms. This flaw enables an attacker to force the NocoDB process to initiate outbound connections to arbitrary IP addresses, exposing the server to potential internal network access and data leakage.
Affected Systems
NocoDB, the web‑based spreadsheet‑style database builder (nocodb:nocodb), is affected in all releases before 2026.05.1. Upgrading to 2026.05.1 or later incorporates the SSRF fix.
Risk and Exploitability
The CVSS score of 5.3 signifies moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the publicly exposed connection‑test endpoint, which accepts any host string. Exploitation requires an attacker to trigger the endpoint with a crafted host value; once triggered, the server will open a socket to the specified address.
OpenCVE Enrichment
Github GHSA