Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible endpoint requires authenticated editor access (PR:L); scope change (S:C) because NocoDB proxies requests to cloud IMDS and internal services; no integrity or availability impact described.
Primary rating from Vendor (https://github.com/nocodb/nocodb).
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Summary
The spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL.
Details
The extension matcher is now anchored to the end of the path or immediately before the query string (/\.(xls|xlsx|xlsm|ods|ots)(\?|$)/i and /\.(csv)(\?|$)/i), so http://169.254.169.254/credentials/.xlsx no longer satisfies the format gate. The hand-rolled IP blocklist is removed in favour of useAgent(url) from request-filtering-agent, which blocks private and loopback ranges at the socket layer.
Impact
Authenticated users with editor permission could read cloud metadata and other internal HTTP endpoints reachable from the NocoDB process. On affected installs the spreadsheet import path was a credential-exfiltration primitive on cloud hosts.
Credit
This issue was reported by Devel Group Security Research Team through @TREXNEGRO. It was independently reported by @l3tchupkt.
AnalysisAI
Server-Side Request Forgery in NocoDB's spreadsheet-fetch endpoint (axiosRequestMake) allows authenticated users with editor-level permissions to coerce the NocoDB server into issuing HTTP requests to cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254) and other internal network resources reachable from the NocoDB process. Two distinct defensive failures enabled the attack: an un-anchored file-extension allowlist that accepted .xlsx anywhere in the URL path, and a hand-rolled IP blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated NocoDB session with at minimum editor-level permissions (`PR:L`), as the spreadsheet import endpoint enforces authentication. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No vendor or NVD CVSS score was provided; the independently assessed vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N yields a score of approximately 7.7 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a NocoDB editor account submits the URL `http://169.254.169.254/latest/meta-data/iam/security-credentials/.xlsx` to the spreadsheet import endpoint; the un-anchored extension check accepts `.xlsx` in the path and the incomplete IP blocklist does not filter `169.254.0.0/16`, so NocoDB issues the outbound HTTP GET and returns the AWS IMDSv1 credential JSON to the attacker. No public proof-of-concept was identified at time of analysis, but the advisory's disclosure of the exact bypass technique (`/credentials/.xlsx`) makes independent reproduction straightforward for any editor-level user. |
| Remediation | No specific patched npm version number was confirmed in the available data - the advisory GHSA-gprh-27j3-g5h4 (https://github.com/nocodb/nocodb/security/advisories/GHSA-gprh-27j3-g5h4) describes the code-level fix (anchored regex, `request-filtering-agent` integration) as already implemented, but the `fixed in` metadata is absent. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38609
GHSA-gprh-27j3-g5h4