Skip to main content

NocoDB EUVDEUVD-2026-38600

| CVE-2026-53931 MEDIUM
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-06-17 https://github.com/nocodb/nocodb GHSA-hmcr-rmjq-47qr
6.9
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Unauthenticated network vector with trivial bypass; scope changes as internal services outside NocoDB's security domain yield high confidentiality impact with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (https://github.com/nocodb/nocodb).

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 23, 2026 - 23:02 EUVD
CVSS changed
Jun 23, 2026 - 21:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 01:49 vuln.today
Analysis Generated
Jun 18, 2026 - 01:49 vuln.today

DescriptionCVE.org

Summary

The spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv (for example https://example.com/robots.txt?.csv) satisfied the gate even though the underlying request was for robots.txt.

Details

Three layers of protection now apply to the endpoint:

  • The controller is decorated with @UseGuards(DataApiLimiterGuard, GlobalGuard)

and @Acl('fetchViaUrl'), so unauthenticated callers and callers without the editor role are rejected before the request body is processed.

  • The extension allowlist is tested against url.pathname only. Callers can

no longer satisfy the regex by appending a .csv suffix to the query string.

  • The downstream axios call is wired to useAgent(url) from

request-filtering-agent, which blocks RFC 1918, loopback, link-local, and other private destinations at the socket layer.

Impact

Unauthenticated callers could previously coerce the NocoDB process to issue HTTP requests on their behalf, including to internal services reachable from the host. With the auth gate in place and the pathname-anchored extension check combined with socket-layer destination filtering, the endpoint is no longer usable as a generic proxy and can no longer reach private ranges.

Credit

This issue was reported by the GitHub Security Lab (@p-, @m-y-mo).

AnalysisAI

Server-Side Request Forgery in NocoDB (npm/nocodb <= 0.301.3) allowed unauthenticated remote attackers to coerce the NocoDB server process into issuing arbitrary outbound HTTP requests, including to RFC 1918 internal services, cloud metadata endpoints, and loopback addresses. The attack exploited two compounding weaknesses: the spreadsheet-import endpoint axiosRequestMake required no authentication, and its file-extension allowlist regex was evaluated against the full URL string rather than the pathname alone, making bypass trivial by appending ?.csv to any URL's query string. No public exploit has been identified at time of analysis, though the bypass technique is explicitly described in the GitHub Security Lab advisory GHSA-hmcr-rmjq-47qr and is trivially reproducible.

Technical ContextAI

The vulnerable component is NocoDB's spreadsheet-import feature, which exposes an HTTP handler (axiosRequestMake) that fetches a user-supplied URL server-side using axios and returns the response - a classic SSRF sink. The root cause maps to CWE-441 (Unintended Proxy or Intermediary): the intended function (importing a remote CSV) was insufficiently bounded, making it a general-purpose HTTP proxy. The allowlist gate used a regular expression matched against the complete URL string, meaning the .csv check could be satisfied by injecting .csv anywhere in the URL - specifically as a query parameter suffix (e.g., https://internal-host/secret?.csv). No socket-layer destination filtering was applied, so the axios call could reach any host reachable from the NocoDB process, including RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and cloud instance metadata services. Affected package: pkg:npm/nocodb, all versions <= 0.301.3.

RemediationAI

No confirmed patched npm release version is available in the input data; the advisory records 'None' as the fixed version, which may indicate that the source-level fix (described in GHSA-hmcr-rmjq-47qr as adding @UseGuards(DataApiLimiterGuard, GlobalGuard), @Acl('fetchViaUrl'), pathname-anchored extension checks, and request-filtering-agent socket filtering) has not yet been published to the npm registry as of this analysis. Monitor the NocoDB npm package (https://www.npmjs.com/package/nocodb) and the GitHub repository for a release beyond 0.301.3 that incorporates these three controls. As an immediate compensating control, restrict inbound network access to NocoDB's API surface to authenticated, trusted users only using a reverse proxy or WAF with authentication enforcement - this eliminates the unauthenticated attack vector. Independently, apply host-level or container-level egress filtering to block outbound connections from the NocoDB process to RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local ranges (169.254.0.0/16), including the cloud metadata endpoint 169.254.169.254. This egress restriction limits SSRF blast radius even if the application-layer controls are bypassed. Note that blocking 169.254.169.254 at the host firewall may affect legitimate cloud platform integrations.

Share

EUVD-2026-38600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy