Cross-site Scripting (XSS)nocodb is a NocoDB
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the password reset. An attacker can execute arbitrary JavaScript in the context of the application by crafting a malicious password reset link and convincing a victim to follow it. This allows the attacker to access authentication state and perform actions on behalf of the victim.
How to fix Cross-site Scripting (XSS)? Upgrade nocodb to version 0.301.3 or higher.
| |
SQL Injectionnocodb is a NocoDB
Affected versions of this package are vulnerable to SQL Injection via the ARRAYSORT formula argument processing in Postgres-backed deployments. An attacker can execute arbitrary SQL commands and cause significant query delays by injecting malicious input into the direction argument, which is improperly validated and embedded into a raw SQL fragment during column creation and on every subsequent record read.
How to fix SQL Injection? Upgrade nocodb to version 0.301.3 or higher.
| |
Access Control Bypassnocodb is a NocoDB
Affected versions of this package are vulnerable to Access Control Bypass via the publicMmList, publicHmList, relDataList, and nested endpoints when the show flag for a column is not properly checked. An attacker can access hidden linked records by supplying a valid share UUID and directly querying relation endpoints for columns that are not visible in the shared view.
How to fix Access Control Bypass? Upgrade nocodb to version 0.301.3 or higher.
| |
Directory Traversalnocodb is a NocoDB
Affected versions of this package are vulnerable to Directory Traversal in the process that handles SQLite source filenames. An attacker can gain unauthorized access to or modify internal application data by supplying a crafted filename that points to arbitrary files accessible by the application process. This allows reading or overwriting sensitive files through standard table APIs. This is only exploitable if the attacker is authenticated and has base-create permissions.
How to fix Directory Traversal? Upgrade nocodb to version 0.301.3 or higher.
| |
Authorization Bypass Through User-Controlled Keynocodb is a NocoDB
Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the public shared-view endpoints, which exposed values from columns that were intended to be hidden. An attacker can access sensitive information by crafting requests that leverage the groupBy, filter, sort, or related-data list functionalities to enumerate or extract hidden column values without authentication.
How to fix Authorization Bypass Through User-Controlled Key? Upgrade nocodb to version 0.301.3 or higher.
| |
Server-side Request Forgery (SSRF)nocodb is a NocoDB
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the connection-test endpoint. An authenticated attacker can access internal network resources by supplying a crafted database host value when testing database connections.
How to fix Server-side Request Forgery (SSRF)? Upgrade nocodb to version 0.301.3 or higher.
| |
Authorization Bypass Through User-Controlled Keynocodb is a NocoDB
Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the readAttachment tool. An attacker can access files in the shared storage belonging to other users by supplying a known attachment path and a valid MCP token.
How to fix Authorization Bypass Through User-Controlled Key? Upgrade nocodb to version 0.301.3 or higher.
| |
SQL Injectionnocodb is a NocoDB
Affected versions of this package are vulnerable to SQL Injection via the bulk groupBy. An authenticated attacker can execute arbitrary SQL commands by setting a column's title to a crafted SQL fragment, which is then interpolated into a database query without proper sanitization.
How to fix SQL Injection? Upgrade nocodb to version 0.301.3 or higher.
| |
User Impersonationnocodb is a NocoDB
Affected versions of this package are vulnerable to User Impersonation via the testConnection endpoint when the integration is fetched in a bypass scope and permission checks are insufficiently scoped to the integration's workspace. An attacker can gain unauthorized access to integration configurations and potentially interact with databases using another workspace's credentials by supplying the integration ID and possessing creator or owner privileges on any base in any workspace.
How to fix User Impersonation? Upgrade nocodb to version 0.301.3 or higher.
| |
Brute Forcenocodb is a NocoDB
Affected versions of this package are vulnerable to Brute Force via the auth.service.ts file. An attacker can determine whether specific email addresses are registered by measuring the response time of sign-in attempts.
How to fix Brute Force? Upgrade nocodb to version 0.301.3 or higher.
| |
Information Exposurenocodb is a NocoDB
Affected versions of this package are vulnerable to Information Exposure via the shared-view password check. An attacker can infer sensitive information about legacy plaintext passwords by measuring authentication response times, potentially revealing password length and prefix without prior authentication.
Note: This is only exploitable if the targeted shared view uses a password created before the bcrypt migration and the attacker can accurately time authentication responses.
How to fix Information Exposure? Upgrade nocodb to version 0.301.3 or higher.
| |
Race Conditionnocodb is a NocoDB
Affected versions of this package are vulnerable to Race Condition through a race condition in the OAuth token exchange. An attacker can obtain multiple valid token pairs by making concurrent requests using the same authorization code and PKCE verifier.
How to fix Race Condition? Upgrade nocodb to version 0.301.3 or higher.
| |
Insufficient Session Expirationnocodb is a NocoDB
Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to revoke OAuth tokens in the revokeAllOAuthTokensByUser process after password change, reset, or recovery. An attacker can maintain unauthorized access by continuing to use previously issued OAuth tokens even after a user has performed a security event intended to invalidate such access.
How to fix Insufficient Session Expiration? Upgrade nocodb to version 0.301.3 or higher.
| |
Missing Authorizationnocodb is a NocoDB
Affected versions of this package are vulnerable to Missing Authorization via the AclMiddleware in the request authorization path. An attacker can invite users or enumerate base members by sending userInvite or baseUserList requests from a shared-base session. This allows a public-link visitor to perform privileged membership operations on a base, exposing member information and enabling unwanted access to the shared workspace.
How to fix Missing Authorization? A fix was pushed into the master branch but not yet published.
| |
Insufficient Session Expirationnocodb is a NocoDB
Affected versions of this package are vulnerable to Insufficient Session Expiration through the ApiToken delete path in the token management code. An attacker can keep using a deleted API token by deleting it while the cache entry remains keyed under the token value, leaving stale authentication data available for subsequent requests.
How to fix Insufficient Session Expiration? A fix was pushed into the master branch but not yet published.
| |
Allocation of Resources Without Limits or Throttlingnocodb is a NocoDB
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the AttachmentsService upload-by-URL path in the attachment handling code. An attacker can exhaust storage or processing resources by providing a remote file URL pointing to a very large file. The service accepts the response metadata from the fetched URL without enforcing a file size limit, allowing oversized uploads to be pulled into the attachment workflow and disrupting normal application use.
How to fix Allocation of Resources Without Limits or Throttling? A fix was pushed into the master branch but not yet published.
| |
Allocation of Resources Without Limits or Throttlingnocodb is a NocoDB
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the AttachmentsService upload-by-URL path in the attachment handling code. An attacker can exhaust storage or processing resources by providing a remote file URL pointing to a very large file. The service accepts the response metadata from the fetched URL without enforcing a file size limit, allowing oversized uploads to be pulled into the attachment workflow and disrupting normal application use.
How to fix Allocation of Resources Without Limits or Throttling? A fix was pushed into the master branch but not yet published.
| |
Server-side Request Forgery (SSRF)nocodb is a NocoDB
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the sendMessage methods in the Discord, Mattermost, Slack, and Teams webhook adapters. An attacker can make the server send requests to attacker-controlled URLs by supplying a webhook_url in payload.channels, causing the application to connect to arbitrary internal or external endpoints and leak request traffic through the webhook delivery path.
Workarounds
- Restrict webhook creation and editing to trusted authenticated users only, because an authenticated user with hook-creation permission can point
notification.payload.channels[].webhook_url at internal or attacker-controlled hosts and trigger outbound requests through the webhook delivery path.
- Avoid enabling verbose hook logging with
NC_AUTOMATION_LOG_LEVEL=ALL, because it can expose response bodies from the SSRF-triggered webhook requests and increase the amount of data an attacker can exfiltrate.
How to fix Server-side Request Forgery (SSRF)? A fix was pushed into the master branch but not yet published.
| |
Sensitive Cookie in HTTPS Session Without "Secure" Attributenocodb is a NocoDB
Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute through the setTokenCookie function in the authentication service. An attacker can steal or replay the refresh_token by intercepting it over plaintext HTTP or by inducing the browser to send it in cross-site requests. This exposes user sessions to hijacking and unauthorized access to accounts.
How to fix Sensitive Cookie in HTTPS Session Without "Secure" Attribute? A fix was pushed into the master branch but not yet published.
| |
Cross-site Scripting (XSS)nocodb is a NocoDB
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the CommentsService component, which uses v-html without proper sanitization. An attacker can execute arbitrary JavaScript code in the context of a user's browser by submitting crafted input that is later viewed by other users.
Note:
This issue affects users of nc-gui frontend.
How to fix Cross-site Scripting (XSS)? Upgrade nocodb to version 0.301.3 or higher.
| |
Cross-site Scripting (XSS)nocodb is a NocoDB
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the v-html due to the lack of sanitization. An attacker with Editor role can execute arbitrary scripts in the context of a user's browser by storing malicious content in rich text cells.
Note:
This issue affects users of nc-gui frontend.
How to fix Cross-site Scripting (XSS)? Upgrade nocodb to version 0.301.3 or higher.
| |
Cross-site Scripting (XSS)nocodb is a NocoDB
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Comment.insert() function that that lacks sanitization for stored HTML. An attacker can execute arbitrary JavaScript code in the context of the user's browser by submitting crafted input that is later viewed by other users.
Note:
This issue affects users of nc-gui frontend.
How to fix Cross-site Scripting (XSS)? Upgrade nocodb to version 0.301.3 or higher.
| |
SQL Injectionnocodb is a NocoDB
Affected versions of this package are vulnerable to SQL Injection via the DATEADD formula's unit parameter. An attacker with the Creator role can execute arbitrary SQL commands by supplying crafted input to this parameter.
How to fix SQL Injection? Upgrade nocodb to version 0.301.3 or higher.
| |
Cross-site Scripting (XSS)nocodb is a NocoDB
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the CommentsService component that lacks sanitization for stored HTML. An attacker can execute arbitrary scripts in the context of users viewing affected rich text fields by injecting unsanitized HTML through the API.
How to fix Cross-site Scripting (XSS)? Upgrade nocodb to version 0.301.3 or higher.
| |
Authorization Bypass Through User-Controlled Keynocodb is a NocoDB
Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the McpTokenService.get(), regenerateToken(), and delete() functions due to missing ownership validation for MCP tokens. An attacker with Creator role privileges can access, regenerate, or delete another user's tokens by knowing the target token ID.
How to fix Authorization Bypass Through User-Controlled Key? Upgrade nocodb to version 0.301.3 or higher.
| |
Insufficient Session Expirationnocodb is a NocoDB
Affected versions of this package are vulnerable to Insufficient Session Expiration in the passwordReset() function that fails to call UserRefreshToken.deleteAllUserToken() to invalidate JWTs. An attacker can maintain unauthorized access by using a previously obtained refresh token to mint valid JWTs even after the victim resets their password.
How to fix Insufficient Session Expiration? Upgrade nocodb to version 0.301.3 or higher.
| |
Information Exposurenocodb is a NocoDB
Affected versions of this package are vulnerable to Information Exposure via the POST /api/v2/auth/password/forgot endpoint. An attacker can determine whether a specific email address is registered by submitting password reset requests and analyzing the differing responses.
How to fix Information Exposure? Upgrade nocodb to version 0.301.3 or higher.
| |
Credential Exposurenocodb is a NocoDB
Affected versions of this package are vulnerable to Credential Exposure in the password column of the nc_views table in public-datas.service.ts, public-metas.service.ts and calendar-datas.service.ts, where passwords are stored in plaintext. An attacker can obtain sensitive authentication credentials by gaining unauthorized access to the database.
How to fix Credential Exposure? Upgrade nocodb to version 0.301.3 or higher.
| |
Open Redirectnocodb is a NocoDB
Affected versions of this package are vulnerable to Open Redirect via the continueAfterSignIn parameter during the authentication process. An attacker can redirect authenticated users to arbitrary external websites by supplying a crafted value, increasing the risk of credential theft through social engineering.
How to fix Open Redirect? Upgrade nocodb to version 0.301.0 or higher.
| |
Cross-site Scripting (XSS)nocodb is a NocoDB
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the SVG upload. An attacker can execute arbitrary JavaScript in the browsers of other users by uploading a crafted SVG file containing embedded scripts, which are rendered inline when viewed.
How to fix Cross-site Scripting (XSS)? Upgrade nocodb to version 0.301.0 or higher.
| |
Prototype Pollutionnocodb is a NocoDB
Affected versions of this package are vulnerable to Prototype Pollution via the deepMerge() function in utils/dataUtils.ts file. An attacker can cause all database write operations to fail application-wide until the server is restarted by sending crafted requests to this endpoint.
Note:
This is only exploitable if the attacker is an authenticated user with org-level-creator permissions.
How to fix Prototype Pollution? Upgrade nocodb to version 0.301.0 or higher.
| |
Server-side Request Forgery (SSRF)nocodb is a NocoDB
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the uploadViaURL function in the attachments.service.ts file. An attacker can trigger outbound requests to arbitrary URLs by supplying crafted input to the process before validation is enforced.
How to fix Server-side Request Forgery (SSRF)? Upgrade nocodb to version 0.301.0 or higher.
| |
Cross-site Scripting (XSS)nocodb is a NocoDB
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the password reset API endpoint /api/v1/db/auth/password/reset/. An attacker can execute scripts in the context of the user's browser session by convincing the user to follow a malicious link.
How to fix Cross-site Scripting (XSS)? Upgrade nocodb to version 0.258.0 or higher.
| |
Cross-site Scripting (XSS)nocodb is a NocoDB
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the replaceUrlsWithLink function. An attacker can execute arbitrary JavaScript code by embedding malicious content within the formula fields that are improperly sanitized before being displayed.
How to fix Cross-site Scripting (XSS)? Upgrade nocodb to version 0.202.9 or higher.
| |
SQL Injectionnocodb is a NocoDB
Affected versions of this package are vulnerable to SQL Injection through the columnList method. An attacker with create access can execute arbitrary SQL commands and potentially access or modify sensitive data by including a special character (') in the table name to manipulate the SQL query.
How to fix SQL Injection? Upgrade nocodb to version 0.202.10 or higher.
| |