EXECUTIVE SUMMARY:
Multiple vulnerabilities were identified in the NocoDB open-source platform, affecting releases prior to version. The issues include a prototype pollution flaw in the connection test endpoint that can cause denial of service by breaking database operations when exploited via crafted input, a blind server-side request forgery (SSRF) potential through unvalidated URL metadata requests during uploads, a stored cross-site scripting (XSS) vulnerability allowing authenticated users to upload malicious SVG attachments that execute in other users browsers, and an unvalidated redirect in the login flow that can be abused in phishing schemes to redirect authenticated users to attacker-controlled sites. Collectively these vulnerabilities create avenues for service disruption, credential theft through social engineering, session compromise, unauthorized actions on behalf of victims, and limited internal probing via SSRF, underscoring the importance of applying the fixed release and sanitizing or validating inputs in affected components.
- CVE-2026-24766: It is a prototype pollution vulnerability in NocoDB that can be exploited by an authenticated user with elevated permissions via a crafted connection test request.
Exploitation can disrupt database write operations across the application, leading to a denial-of-service condition until restart. The vulnerability has a CVSS score of 4.9.
- CVE-2026-24767: It is a blind SSRF vulnerability in NocoDB where an unvalidated HEAD request in the upload-via-URL feature allows limited outbound requests to attacker-controlled URLs. An attacker with low-level access can abuse this behavior to probe internal or external network resources. The vulnerability has a CVSS score of 4.9.
- CVE-2026-24769: It is a stored cross-site scripting (XSS) vulnerability in NocoDB that allows authenticated users to upload malicious SVG attachments containing embedded JavaScript. When other users view the attachment, the script executes in their browser, potentially leading to session hijacking or unauthorized actions. The vulnerability has a CVSS score of 8.5.
- CVE-2026-24768: It is an open redirect vulnerability in NocoDBs login flow that allows attackers to redirect authenticated users to arbitrary external websites. The issue can be abused in phishing or social-engineering attacks by leveraging trusted login redirects. The vulnerability has a CVSS score of 5.7.
RECOMMENDATION:
- We strongly recommend you update NocoDB to version 0.301.2 or later.
REFERENCES:
The following reports contain further technical details:
