SB2026042737 - Multiple vulnerabilities in NocoDB

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Prototype pollution (CVE-ID: CVE-2026-24766)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improperly controlled modification of object prototype attributes in the /api/v2/meta/connection/test endpoint when processing user-supplied connection test input. A remote privileged user can send a specially crafted request to cause a denial of service.

The issue pollutes Object.prototype globally, causing subsequent database write operations to fail application-wide until the server is restarted.

2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-24767)

The vulnerability allows a remote user to perform blind server-side requests to arbitrary URLs.

The vulnerability exists due to server-side request forgery in uploadViaURL() when issuing an unvalidated HEAD request for attacker-controlled URLs. A remote user can send a specially crafted request to perform blind server-side requests to arbitrary URLs.

Only HEAD requests are affected, so no response body is returned, but internal service reachability and response behavior may still be probed.

3) Open redirect (CVE-ID: CVE-2026-24768)

The vulnerability allows a remote attacker to redirect authenticated users to an arbitrary external website.

The vulnerability exists due to url redirection to untrusted site in the login flow via the continueAfterSignIn parameter when handling login requests with a user-controlled redirect target. A remote attacker can send a crafted login link to redirect authenticated users to an arbitrary external website.

User interaction is required because the victim must click a crafted login link and complete authentication.

4) Cross-site scripting (CVE-ID: CVE-2026-24769)

The vulnerability allows a remote user to execute arbitrary script in the browsers of other users.

The vulnerability exists due to cross-site scripting in the attachment handling mechanism when rendering uploaded SVG attachments inline. A remote user can upload a malicious SVG file containing embedded JavaScript to execute arbitrary script in the browsers of other users.

Exploitation requires permission to upload attachments, and user interaction is required when another user views the attachment.

Remediation

Install update from vendor's website.

References

• https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9
• https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9
• https://github.com/advisories/GHSA-xr7v-j379-34v9
• https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj
• https://github.com/advisories/GHSA-3hmw-8mw3-rmpj
• https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr