Skip to main content

NocoDB CVE-2026-47385

| EUVDEUVD-2026-38615 MEDIUM
Path Traversal (CWE-22)
2026-06-05 https://github.com/nocodb/nocodb GHSA-wvqj-9wv4-7ff5
5.3
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 21:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 05, 2026 - 16:54 vuln.today
Analysis Generated
Jun 05, 2026 - 16:54 vuln.today

DescriptionCVE.org

Summary

An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases.

Details

The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.

Impact

Disclosure and modification of NocoDB internal state, of other tenants' databases, and of any file the NocoDB process can read or write. Authentication and base-create permission are required.

Credit

This issue was reported by @Mouhebbenelwafi.

AnalysisAI

Path traversal in NocoDB allows authenticated users with base-create permission to point a SQLite data source at any file readable or writable by the NocoDB server process, including its own internal state databases. The flaw exists in the SQLite client and base/integration create services, which accept a caller-supplied filename and pass it directly to filesystem calls without any path restriction or canonicalization. An attacker exploiting this can read or overwrite noco.db, tenant databases under nc_minimal_dbs/, or any other file accessible to the NocoDB process - enabling full internal state disclosure, cross-tenant data access, and destructive modification. No public exploit has been identified at time of analysis, and a vendor-released patch exists in version 2026.05.1.

Technical ContextAI

NocoDB is an open-source no-code database platform distributed as the npm package nocodb. The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal). The SQLite integration feature allows users to attach external SQLite files as data sources. The server-side code responsible for creating bases and integrations accepted the filename parameter directly from the API caller and passed it to Node.js fs.exists and fs.open('w') calls without normalizing the path, checking it against an allowlist, or confining it to a designated data directory. This means any filesystem path the NocoDB process has OS-level permission to read or write - including its own primary noco.db metadata database and multi-tenant databases - can be mounted as a SQLite source and then interacted with through standard NocoDB table APIs. The affected package is pkg:npm/nocodb at all versions up to and including 2026.05.0.

RemediationAI

The primary fix is to upgrade nocodb to version 2026.05.1 or later, which addresses the path traversal by adding proper path restriction and validation to the SQLite source filename handling in the base/integration create services. The release is available at https://github.com/nocodb/nocodb/releases/tag/2026.05.1. If an immediate upgrade is not possible, operators should consider restricting or disabling the ability for non-administrator users to create new bases or integrations, as the attack requires base-create permission - removing that permission from untrusted users eliminates the attack surface, though this may impact legitimate functionality. In multi-tenant or shared deployments, running the NocoDB process under a dedicated OS user with the most restrictive filesystem permissions possible (read/write only to its own data directory, no access to system files or other application data) limits the blast radius of exploitation. Operators should audit which users currently hold base-create permissions and consider tightening role assignments until patching is complete.

Share

CVE-2026-47385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy