Impact
The flaw resides in a base-migration endpoint that, before 2026.05.1, accepts a caller-supplied URL and dereferences it without validating protocol or destination, allowing scheme abuse and probing of internal HTTP destinations. An attacker can supply a malicious URL to cause the server to request arbitrary network locations, read sensitive files or internal services, and explore internal HTTP endpoints. This vulnerability is an SSRF weakness (CWE-918).
Affected Systems
This vulnerability affects all deployments of NocoDB running a version earlier than 2026.05.1. The product and vendor are specified as NocoDB, NocoDB. Newer releases beginning with 2026.05.1 contain a fix that validates the URL scheme and restricts outbound requests.
Risk and Exploitability
The CVSS score of 5.1 classifies it as a medium impact vulnerability. EPSS is not available and the issue is not currently listed in CISA KEV catalog. The attack vector is inferred to be remote, via the exposed base-migration API; an authorized user or one who can send requests to the endpoint can trigger the malicious request. The potential exploitation can lead to internal network mapping, exfiltration of sensitive data, or access to internal services that are not exposed externally. Because the weakness does not require privileged privileges on the host, the risk remains meaningful for organizations that expose the base-migration endpoint to untrusted actors.
OpenCVE Enrichment
Github GHSA