Skip to main content

NocoDB EUVDEUVD-2026-38602

| CVE-2026-53929 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 https://github.com/nocodb/nocodb GHSA-6mhr-74x2-98v9
5.1
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.6 HIGH

Network vector with low-privilege upload account required (PR:L), victim must open the link (UI:R), scope changes to victim browser (S:C), JWT theft enables full session takeover (C:H).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/nocodb/nocodb).

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Jun 23, 2026 - 23:02 EUVD
CVSS changed
Jun 23, 2026 - 21:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 01:47 vuln.today
Analysis Generated
Jun 18, 2026 - 01:47 vuln.today

DescriptionCVE.org

Summary

With NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download.

Details

The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. The fix corrects the key case and additionally forces Content-Disposition: attachment and Content-Type: application/octet-stream for any MIME type not on the preview allowlist.

Impact

Stored Cross-Site Scripting in the NocoDB origin from inline-rendered uploads. Script executing in the victim's browser can read the auth JWT from localStorage. Exploitation requires authenticated upload permission and the secure-attachment mode to be enabled.

Credit

This issue was reported by @bugbunny-research. It was independently reported by @DavidCarliez.

AnalysisAI

Stored Cross-Site Scripting in NocoDB (npm package, versions <= 0.301.3) allows an authenticated user with upload permissions to deliver malicious .html or .svg attachments that the victim's browser renders inline from the NocoDB origin, bypassing the intended forced-download behavior. The root cause is a header-key case mismatch in the secure attachment handler: the signed URL generator wrote overrides as PascalCase keys while the Express controller read them as lowercase-hyphen keys, silently dropping Content-Disposition: attachment and enabling inline rendering. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains NocoDB upload permission
Delivery
Uploads crafted .svg/.html with embedded script
Exploit
Victim opens attachment link in browser
Execution
Express drops Content-Disposition header due to key mismatch
Persist
Browser renders file inline on NocoDB origin
Impact
Script exfiltrates auth JWT from localStorage

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific conditions to be simultaneously true: (1) the attacker must hold an authenticated NocoDB account with upload permission on at least one base - anonymous or read-only access is insufficient; (2) the target NocoDB instance must be configured with the environment variable `NC_SECURE_ATTACHMENTS=true`, which is a non-default opt-in setting. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-high for deployments that meet the exploitation prerequisites but lower for the broader NocoDB install base. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a NocoDB collaborator account that includes file upload permissions crafts an `.svg` file containing an embedded `<script>` tag that sends `document.cookie` and `localStorage.getItem('nocodb-token')` to an attacker-controlled endpoint. The attacker uploads this file to a shared base in a NocoDB instance running with `NC_SECURE_ATTACHMENTS=true`. …
Remediation No vendor-released patch has been confirmed at time of analysis - the GHSA advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-6mhr-74x2-98v9 and https://github.com/advisories/GHSA-6mhr-74x2-98v9 describe the fix but do not list a remediated release version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy