Skip to main content

NocoDB CVE-2026-47387

| EUVDEUVD-2026-38612 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-05 https://github.com/nocodb/nocodb GHSA-hj85-ph9q-78jg
8.4
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
8.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

Network-reachable form-view API, editor role needed (PR:L), viewer must submit the form (UI:R), payload executes in NocoDB origin different from the attacker's base context (S:C), session-token theft yields high C and I, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/nocodb/nocodb).

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 21:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 21:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 21:22 NVD
8.4 (HIGH)
Source Code Evidence Fetched
Jun 05, 2026 - 16:51 vuln.today
Analysis Generated
Jun 05, 2026 - 16:51 vuln.today

DescriptionCVE.org

Summary

The shared form-view submit handler in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"].

Details

The vulnerable sink is in packages/nc-gui/composables/useSharedFormViewStore.ts:

  • isValidRedirectUrl validated only typeof === 'string' and non-empty trim - no scheme check.
  • The submit branch built an anchor element, compared anchor.host to window.location.host, and either pushState-reloaded (same host) or assigned window.location.href = redirectUrl (otherwise).
  • For non-network schemes such as javascript:, data:, vbscript:, and file:, anchor.host is the empty string, so the same-host check is false and the code falls into the external-redirect branch - executing the URL same-origin in the NocoDB tab.

The redirect_url field is writable by any user with editor role on the base via the form-view PATCH endpoint, and the value is returned verbatim by the public shared-view meta endpoint, so no further privilege is required to weaponize a public form share.

Impact

  • Same-origin script execution in the viewer's NocoDB tab. The payload runs in the NocoDB origin and can read the session token at localStorage["nocodb-gui-v2"].token.
  • Action under the viewer's identity. With the token, an attacker can call authenticated APIs as the viewer, scoped to whatever workspaces, bases, and operations that viewer is permitted to use.
  • Single-click viewer flow. Form share-links are the intended distribution channel for forms, so the phishing surface is on-brand; the form can be configured with a single hidden pre-filled required field to reduce the viewer flow to one click.

Credit

This issue was reported by @kah-ja (turingpoint.de).

AnalysisAI

Stored cross-site scripting in NocoDB through 2026.05.0 allows a base editor to plant a javascript: URL in a form view's redirect_url, which executes same-origin in any authenticated viewer's browser when they submit the shared form. The payload can exfiltrate the session token from localStorage["nocodb-gui-v2"] and call NocoDB APIs as the victim. No public exploit identified at time of analysis, EPSS 0.07% (21st percentile), but a vendor patch is available in release 2026.05.1.

Technical ContextAI

NocoDB is an open-source Airtable-style no-code database platform distributed as the nocodb npm package. The defect lives in the Vue/Nuxt frontend composable packages/nc-gui/composables/useSharedFormViewStore.ts, where isValidRedirectUrl only checks that the value is a non-empty string and the submit handler relies on comparing an anchor element's host to window.location.host to distinguish internal vs external redirects. For pseudo-schemes like javascript:, data:, vbscript:, and file:, anchor.host is the empty string, so the same-host check fails and the code assigns the attacker-controlled value to window.location.href, executing script in the NocoDB origin. This is a classic CWE-79 (Cross-site Scripting) sink caused by missing URL scheme validation on a sink that effectively behaves as an HTML/JS navigation context.

RemediationAI

Vendor-released patch: upgrade NocoDB to 2026.05.1 or later, available at https://github.com/nocodb/nocodb/releases/tag/2026.05.1, which adds URL scheme validation to the shared form-view redirect logic. Refer to the GitHub Security Advisory GHSA-hj85-ph9q-78jg for additional details. If immediate upgrade is not possible, compensating controls include auditing all existing form views for non-http(s) redirect_url values via the database or admin API and clearing suspect entries, tightening editor role assignments on bases that publish public shared forms, and instructing users not to submit public shared forms while authenticated to NocoDB in the same browser session - each of these reduces but does not eliminate the attack surface and may disrupt legitimate use of shared forms.

Share

CVE-2026-47387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy