SB2026052307 - Multiple vulnerabilities in NocoDB
Published: May 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Protection Mechanism Failure (CVE-ID: CVE-2026-46553)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass the configured per-file size limit.
The vulnerability exists due to improper enforcement of size restrictions in the upload-by-URL attachment handling when processing upload-by-URL requests and data: URIs. A remote user can supply a URL or data: URI referencing an oversized file to bypass the configured per-file size limit.
Exploitation requires upload permission.
2) Improper Authorization (CVE-ID: CVE-2026-46552)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and gain persistent unauthorized access.
The vulnerability exists due to improper authorization in shared-base session handling and access control logic when processing requests authenticated only with the shared-base UUID header. A remote attacker can enumerate base members and invite an arbitrary email address into the base to disclose sensitive information and gain persistent unauthorized access.
The invited user can redeem the invite through the normal signup flow, and the resulting authenticated access remains even after the shared link is revoked.
3) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CVE-ID: CVE-2026-46550)
CWE-ID: CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and perform cross-site request forgery.
The vulnerability exists due to sensitive cookie handling without the secure and samesite attributes in the refresh-token cookie handling in setTokenCookie and the token refresh endpoint when handling refresh-token cookies and cross-site POST requests. A remote attacker can intercept the cookie over plain HTTP or cause the browser to send it in a cross-site request to disclose sensitive information and perform cross-site request forgery.
Exploitation requires user interaction to visit a malicious page.
4) Incorrect authorization (CVE-ID: CVE-2026-46549)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass intended OAuth scope and resource restrictions to access unauthorized org-level functionality.
The vulnerability exists due to incorrect authorization in the ACL middleware when handling requests with OAuth tokens on routes where scope and granted resource restrictions are not enforced. A remote privileged user can use a restricted OAuth token to access functionality with the full permissions of the underlying user to bypass intended OAuth scope and resource restrictions to access unauthorized org-level functionality.
User interaction is required to authorize use of the OAuth token.
5) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-46548)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access internal hosts and disclose sensitive information.
The vulnerability exists due to server-side request forgery protection bypass in notification webhook plugins (Slack, Discord, Mattermost, Teams) when sending webhook POST requests. A remote user can create a webhook with a crafted webhook_url to access internal hosts and disclose sensitive information.
Exploitation requires hook-creation permission, and response bodies may be exposed when verbose hook logging is enabled.
6) Cross-site scripting (CVE-ID: CVE-2026-46547)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the context of the application.
The vulnerability exists due to cross-site scripting in the Page Leaving Warning page when processing crafted ncRedirectUrl and ncBackUrl query parameters. A remote attacker can send a specially crafted link to a victim to execute arbitrary JavaScript in the context of the application.
User interaction is required to open the crafted link.
Remediation
Install update from vendor's website.
References
- https://github.com/nocodb/nocodb/security/advisories/GHSA-8rwr-f68v-cvw6
- https://github.com/nocodb/nocodb/security/advisories
- https://github.com/nocodb/nocodb/security/advisories/GHSA-chqv-vrj7-qffp
- https://github.com/nocodb/nocodb/security/advisories/GHSA-f74w-272x-mqcv
- https://github.com/nocodb/nocodb/security/advisories/GHSA-m5qg-rvjq-727p
- https://github.com/nocodb/nocodb/security/advisories/GHSA-2c5x-4jgf-88mj
- https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9