Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv satisfies the gate even though the
underlying request is for another file. This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB, an open‑source platform that uses spreadsheets to build databases, had an issue in its spreadsheet‑import endpoint before 2026.05.1. The endpoint, utilizing the internal function axiosRequestMake, could act as a generic HTTP proxy. It was reachable without authentication, and its URL‑extension allowlist was a regex tested against the full URL string. This allowed URLs whose query string ended in ".csv" to pass the filter, even when the underlying request pointed to a different file or domain. Server‑Side Request Forgery (CWE‑918) and inadequate input validation (CWE‑441) bypass the intended proxy restrictions, enabling an unauthenticated actor to cause the server to retrieve arbitrary resources from internal or external networks.

Affected Systems

The issue impacts all releases of NocoDB before version 2026.05.1. The fix, released in 2026.05.1, eliminates the proxy behavior and enforces authentication for the spreadsheet‑import endpoint, making those and later releases unaffected.

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability represents a moderate severity risk. No EPSS value is available and the flaw is not yet listed in the CISA KEV catalog. The flaw allows arbitrary outbound HTTP requests without authentication, meaning the SSRF vulnerability remains exploitable until a patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 10:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.05.1 or later.
  • If an immediate upgrade is not possible, restrict or disable the spreadsheet‑import endpoint by requiring authentication or blocking the URL pattern used by the proxy.
  • Apply network segmentation or firewall rules to limit the application’s outbound traffic, mitigating any potential SSRF exploitation if the endpoint remains exposed.

Generated by OpenCVE AI on June 24, 2026 at 10:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hmcr-rmjq-47qr NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
History

Wed, 24 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv satisfies the gate even though the underlying request is for another file. This vulnerability is fixed in 2026.05.1.
Title NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Weaknesses CWE-441
CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T19:41:23.466Z

Reserved: 2026-06-11T15:46:12.317Z

Link: CVE-2026-53931

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses
  • CWE-441

    Unintended Proxy or Intermediary ('Confused Deputy')

  • CWE-918

    Server-Side Request Forgery (SSRF)