Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations. This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in a base‑migration endpoint that accepts a user supplied URL and has no validation of the protocol or destination. An attacker can supply URLs prefixed with file:, ftp: or other unsupported schemes and the worker will dereference them, potentially causing the server to access arbitrary network locations, read sensitive files or internal services, and probe internal HTTP destinations. The vulnerability is considered an SSRF weakness (CWE‑918).

Affected Systems

This vulnerability affects all deployments of NocoDB running a version earlier than 2026.05.1. The product and vendor are specified as NocoDB, NocoDB. Newer releases beginning with 2026.05.1 contain a fix that validates the URL scheme and restricts outbound requests.

Risk and Exploitability

The CVSS score of 5.1 classifies it as a medium impact vulnerability. EPSS is not available and the issue is not currently listed in CISA’s KEV catalog. The attack vector is inferred to be remote, via the exposed base-migration API; an authorized user or one who can send requests to the endpoint can trigger the malicious request. The potential exploitation can lead to internal network mapping, exfiltration of sensitive data, or access to internal services that are not exposed externally. Because the weakness does not require privileged privileges on the host, the risk remains meaningful for organizations that expose the base‑migration endpoint to untrusted actors.

Generated by OpenCVE AI on June 24, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NocoDB version 2026.05.1 or later.
  • Restrict the base‑migration endpoint’s traffic to permitted internal destinations or enforce a whitelist of allowed protocols in configuration.
  • Apply network firewalls or proxy rules to block outbound connections to untrusted or internal hosts that could be accessed via the endpoint.

Generated by OpenCVE AI on June 24, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h6vv-pcq8-7xm4 NocoDB: Server-Side Request Forgery via Base Migration URL
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations. This vulnerability is fixed in 2026.05.1.
Title NocoDB: Server-Side Request Forgery via Base Migration URL
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T19:42:46.860Z

Reserved: 2026-06-11T15:46:12.317Z

Link: CVE-2026-53930

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:30:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)