Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an authenticated user who possesses base‑create permission to attach a SQLite source that points to any file writable by the NocoDB process. By supplying an arbitrary file name, the system subsequently uses that name in filesystem checks and writes, enabling the attacker to read from or overwrite the target file through the normal table APIs. This constitutes a path traversal vulnerability, CWE‑22, that manifests as local file read/write capabilities.

Affected Systems

The vulnerability affects NocoDB installations running any version older than 2026.05.1. All users who can create bases or integrations in such installations are potentially impacted; the flaw is only exploitable if the user has the base‑create permission. The issue is specific to the NocoDB product and is not present in later releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been reported. Exploitation requires only legitimate authentication and the base‑create permission, which may be widely granted in deployments. No further security consequences are described beyond the ability to read or alter files that the NocoDB process can reach.

Generated by OpenCVE AI on June 24, 2026 at 10:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.05.1 or later
  • Revoke base‑create permissions from users who do not require them
  • Disable or limit the ability to attach SQLite source files, ensuring that only trusted paths are permitted

Generated by OpenCVE AI on June 24, 2026 at 10:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wvqj-9wv4-7ff5 NocoDB: Path Traversal via SQLite Source Filename
History

Wed, 24 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.
Title NocoDB: Path Traversal via SQLite Source Filename
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:14:12.428Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47385

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:15:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')