Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network endpoint gated on workspace owner role (PR:H); scope changes because worker reaches systems beyond NocoDB itself; confidentiality high due to file read; integrity low for potential internal service interaction.
Primary rating from Vendor (https://github.com/nocodb/nocodb).
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Summary
The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations.
Details
The migrate endpoint is restricted to the workspace owner role by ACL. The remaining gaps were (a) protocol validation - the controller now parses body.migrationUrl as a URL and rejects anything whose protocol is not http: or https: - and (b) private destination filtering - the worker already runs through useAgent(targetUrl) from request-filtering-agent, which blocks RFC 1918, loopback, and link-local at the socket layer.
Impact
With the workspace owner role, a malformed URL could be used to coerce the migration worker into reading local files or talking to non-HTTP services; combined with the HTTP-only filter, owner-supplied targets could not reach private ranges.
Credit
This issue was reported by Devel Group Security Research Team through @TREXNEGRO. It was independently reported by @Lihfdgjr and [@bugbunny-research (https://github.com/bugbunny-research).
AnalysisAI
Server-Side Request Forgery in NocoDB's base-migration endpoint allows authenticated workspace owners to coerce the migration worker into issuing requests using arbitrary URL schemes - including file:// and ftp:// - enabling local file disclosure and interaction with non-HTTP services. The affected package is pkg:npm/nocodb at versions up to and including 0.301.3; no released patched version has been confirmed at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be authenticated to the NocoDB instance and to hold specifically the workspace owner role as enforced by the application's ACL. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No vendor-provided CVSS score or EPSS score is available for this CVE, so risk assessment relies on the advisory description, SSRF tag, CWE-918 classification, and independently assessed metrics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or has compromised a workspace owner account in a NocoDB instance issues a POST to the base-migration endpoint with a migrationUrl set to a file:// path such as file:///etc/passwd or file:///app/.env - the migration worker dereferences the URL using the Node.js HTTP stack or equivalent, reads the file contents from disk, and returns or logs the data accessible to the attacker. No public proof-of-concept code is known, but the technique is straightforward to implement given the SSRF class description and the specificity of the advisory disclosure. |
| Remediation | No vendor-released patched version of pkg:npm/nocodb has been confirmed at time of analysis - fixed_in is listed as None in the advisory package data, despite the advisory describing the intended fix approach. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38601
GHSA-h6vv-pcq8-7xm4