The vulnerability is a Server‑Side Request Forgery within NocoDB’s spreadsheet‑fetch endpoint (axiosRequestMake). Before version 2026.05.1, the endpoint accepted URLs whose path could contain any permitted file extension and only applied a narrow regex blocklist filtering out 127.0.0.0/8 and 169.254.0.0/16. This flaw allowed an attacker to craft a URL that reaches internal cloud‑metadata services, exposing sensitive internal data and enabling lateral movement. The weakness is classified as CWE‑918 and has been corrected in 2026.05.1.

NocoDB deployments running any version earlier than 2026.05.1 are vulnerable. The defect is present in the spreadsheet‑fetch endpoint (axiosRequestMake). No specific minor versions are listed beyond the cutoff date, so any installation whose last release precedes 2026‑05‑01 is at risk.

The CVSS base score of 5.1 signifies a moderate impact; internal confidentiality and integrity risks exist if the application can reach the cloud‑metadata endpoint. The EPSS score is unavailable, so the current likelihood of exploitation cannot be quantified. The vulnerability is not included in the CISA KEV catalog, suggesting limited public exploitation evidence to date. Attackers would typically submit a specially crafted request to the spreadsheet‑fetch endpoint over HTTP or HTTPS, potentially from a remote network or compromised user account, to trigger the SSRF behavior. The prevention lies in validating or stripping internal URLs before making outbound requests.