Skip to main content

NocoDB CVE-2026-53930

| EUVDEUVD-2026-38601 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-17 https://github.com/nocodb/nocodb GHSA-h6vv-pcq8-7xm4
5.1
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.6 HIGH

Network endpoint gated on workspace owner role (PR:H); scope changes because worker reaches systems beyond NocoDB itself; confidentiality high due to file read; integrity low for potential internal service interaction.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (https://github.com/nocodb/nocodb).

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 23, 2026 - 23:02 EUVD
CVSS changed
Jun 23, 2026 - 21:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 01:47 vuln.today
Analysis Generated
Jun 18, 2026 - 01:47 vuln.today

DescriptionCVE.org

Summary

The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations.

Details

The migrate endpoint is restricted to the workspace owner role by ACL. The remaining gaps were (a) protocol validation - the controller now parses body.migrationUrl as a URL and rejects anything whose protocol is not http: or https: - and (b) private destination filtering - the worker already runs through useAgent(targetUrl) from request-filtering-agent, which blocks RFC 1918, loopback, and link-local at the socket layer.

Impact

With the workspace owner role, a malformed URL could be used to coerce the migration worker into reading local files or talking to non-HTTP services; combined with the HTTP-only filter, owner-supplied targets could not reach private ranges.

Credit

This issue was reported by Devel Group Security Research Team through @TREXNEGRO. It was independently reported by @Lihfdgjr and [@bugbunny-research (https://github.com/bugbunny-research).

AnalysisAI

Server-Side Request Forgery in NocoDB's base-migration endpoint allows authenticated workspace owners to coerce the migration worker into issuing requests using arbitrary URL schemes - including file:// and ftp:// - enabling local file disclosure and interaction with non-HTTP services. The affected package is pkg:npm/nocodb at versions up to and including 0.301.3; no released patched version has been confirmed at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to NocoDB as workspace owner
Delivery
Craft migrationUrl with file:// or ftp:// scheme
Exploit
POST to base-migration endpoint
Execution
Migration worker dereferences URL without scheme validation
Persist
Read local filesystem or interact with internal non-HTTP service
Impact
Exfiltrate sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be authenticated to the NocoDB instance and to hold specifically the workspace owner role as enforced by the application's ACL. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No vendor-provided CVSS score or EPSS score is available for this CVE, so risk assessment relies on the advisory description, SSRF tag, CWE-918 classification, and independently assessed metrics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or has compromised a workspace owner account in a NocoDB instance issues a POST to the base-migration endpoint with a migrationUrl set to a file:// path such as file:///etc/passwd or file:///app/.env - the migration worker dereferences the URL using the Node.js HTTP stack or equivalent, reads the file contents from disk, and returns or logs the data accessible to the attacker. No public proof-of-concept code is known, but the technique is straightforward to implement given the SSRF class description and the specificity of the advisory disclosure.
Remediation No vendor-released patched version of pkg:npm/nocodb has been confirmed at time of analysis - fixed_in is listed as None in the advisory package data, despite the advisory describing the intended fix approach. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53930 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy