Skip to main content

NocoDB CVE-2026-53927

| EUVDEUVD-2026-38609 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-17 https://github.com/nocodb/nocodb GHSA-gprh-27j3-g5h4
5.1
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-accessible endpoint requires authenticated editor access (PR:L); scope change (S:C) because NocoDB proxies requests to cloud IMDS and internal services; no integrity or availability impact described.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (https://github.com/nocodb/nocodb).

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 23, 2026 - 23:02 EUVD
CVSS changed
Jun 23, 2026 - 21:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 01:46 vuln.today
Analysis Generated
Jun 18, 2026 - 01:46 vuln.today

DescriptionCVE.org

Summary

The spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL.

Details

The extension matcher is now anchored to the end of the path or immediately before the query string (/\.(xls|xlsx|xlsm|ods|ots)(\?|$)/i and /\.(csv)(\?|$)/i), so http://169.254.169.254/credentials/.xlsx no longer satisfies the format gate. The hand-rolled IP blocklist is removed in favour of useAgent(url) from request-filtering-agent, which blocks private and loopback ranges at the socket layer.

Impact

Authenticated users with editor permission could read cloud metadata and other internal HTTP endpoints reachable from the NocoDB process. On affected installs the spreadsheet import path was a credential-exfiltration primitive on cloud hosts.

Credit

This issue was reported by Devel Group Security Research Team through @TREXNEGRO. It was independently reported by @l3tchupkt.

AnalysisAI

Server-Side Request Forgery in NocoDB's spreadsheet-fetch endpoint (axiosRequestMake) allows authenticated users with editor-level permissions to coerce the NocoDB server into issuing HTTP requests to cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254) and other internal network resources reachable from the NocoDB process. Two distinct defensive failures enabled the attack: an un-anchored file-extension allowlist that accepted .xlsx anywhere in the URL path, and a hand-rolled IP blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise NocoDB editor-level credentials
Delivery
Craft URL embedding .xlsx mid-path targeting 169.254.169.254 (e.g., /latest/meta-data/iam/security-credentials/.xlsx)
Exploit
Submit crafted URL to axiosRequestMake spreadsheet-fetch endpoint
Execution
NocoDB server issues unauthenticated HTTP GET to cloud IMDS
Persist
Cloud IMDS returns IAM role credentials in response body
Impact
Attacker receives credentials and pivots to cloud account access

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated NocoDB session with at minimum editor-level permissions (`PR:L`), as the spreadsheet import endpoint enforces authentication. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No vendor or NVD CVSS score was provided; the independently assessed vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N yields a score of approximately 7.7 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a NocoDB editor account submits the URL `http://169.254.169.254/latest/meta-data/iam/security-credentials/.xlsx` to the spreadsheet import endpoint; the un-anchored extension check accepts `.xlsx` in the path and the incomplete IP blocklist does not filter `169.254.0.0/16`, so NocoDB issues the outbound HTTP GET and returns the AWS IMDSv1 credential JSON to the attacker. No public proof-of-concept was identified at time of analysis, but the advisory's disclosure of the exact bypass technique (`/credentials/.xlsx`) makes independent reproduction straightforward for any editor-level user.
Remediation No specific patched npm version number was confirmed in the available data - the advisory GHSA-gprh-27j3-g5h4 (https://github.com/nocodb/nocodb/security/advisories/GHSA-gprh-27j3-g5h4) describes the code-level fix (anchored regex, `request-filtering-agent` integration) as already implemented, but the `fixed in` metadata is absent. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy