Skip to main content

NocoDB CVE-2026-47382

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-05 https://github.com/nocodb/nocodb GHSA-w43h-r5m5-p832
SSRF Redis
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 05, 2026 - 16:51 vuln.today
Analysis Generated
Jun 05, 2026 - 16:51 vuln.today

DescriptionNVD

Summary

The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver.

Details

A new validateDbConnectionHost helper resolves hostnames through DNS, parses each address with ipaddr.js, normalises IPv4-mapped IPv6, and rejects addresses in the private, loopback, link-local, unique-local, reserved, unspecified, broadcast, and carrier-grade-NAT ranges. 0.0.0.0, ::, and the literal localhost are special-cased. The check runs before the existing SSL block in the connection-test controller and gates the driver invocation.

Impact

Authenticated users with connection-test permission could probe internal services (Redis, the cloud metadata endpoint, internal databases) reachable from the NocoDB process. A DNS rebinding attacker could still race the resolve-vs-connect window.

Credit

This issue was reported by @helwor-01.

AnalysisAI

Server-Side Request Forgery in NocoDB (npm/nocodb, versions up to and including 2026.05.0) allows authenticated users with connection-test permission to direct the NocoDB server process to open raw TCP sockets to attacker-specified internal destinations, including Redis instances, cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), and internal databases. The vulnerable connection-test endpoint accepted user-supplied database hostnames without DNS resolution or address-range validation, effectively making NocoDB an unauthenticated SSRF proxy to the internal network from the server's vantage point. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain NocoDB account with connection-test permission
Delivery
Submit crafted internal hostname or IPv4-mapped IPv6 address to connection-test endpoint
Exploit
NocoDB opens raw TCP socket to internal destination without validation
Execution
Receive response from internal service (Redis, metadata endpoint, internal DB)
Impact
Extract IAM credentials, cache contents, or internal data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated NocoDB user account with the connection-test permission explicitly granted - anonymous or unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS score and vector are not provided for this CVE, preventing a formal CVSS-based severity rating - all risk signals are inferred from the advisory description and CWE classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid NocoDB account and connection-test permission submits a crafted database hostname - either a domain they control with a DNS record pointing to 169.254.169.254, or an IPv4-mapped IPv6 encoding of a private address (e.g., ::ffff:10.0.0.1) - to the connection-test endpoint. NocoDB opens a raw TCP socket to the resolved internal address without validation, and the attacker reads the response to fingerprint or interact with the internal service, for example retrieving AWS IAM role credentials from the cloud metadata endpoint or issuing unauthenticated Redis commands to dump keys. …
Remediation Upgrade NocoDB to version 2026.05.1 or later - the vendor-confirmed fixed release per GitHub release tag https://github.com/nocodb/nocodb/releases/tag/2026.05.1 and advisory GHSA-w43h-r5m5-p832. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2025-5088 HIGH
8.7 Jun 05

Privilege escalation in Arista CloudVision Exchange (CVX) allows an authenticated attacker with network reach to the Red
CVE-2026-44890 HIGH
7.5 Jun 08

Remote denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.F
CVE-2026-44250 HIGH
7.5 Jun 08

Denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) a
CVE-2026-41719 MEDIUM
6.4 Jun 10

SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, l

Share

CVE-2026-47382 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy