CVE-2026-24766
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-28

Last updated on: 2026-02-04

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-02-04
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24766
EUVD
EUVD-2026-4872
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 0.301.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in NocoDB allows an authenticated user with org-level-creator permissions to exploit prototype pollution via the /api/v2/meta/connection/test endpoint. This causes all database write operations to fail across the application until the server is restarted. Although it bypasses SUPER_ADMIN authorization checks, no privileged actions can be performed because database operations fail immediately after the pollution.

Impact Analysis

The vulnerability causes all database write operations to fail application-wide until the server is restarted, which can disrupt normal database functionality and availability. This could lead to denial of service for write operations, impacting the application's reliability and user experience.

Mitigation Strategies

Upgrade NocoDB to version 0.301.0 or later, as this version patches the prototype pollution vulnerability. Until the upgrade, restrict authenticated users with org-level-creator permissions from accessing the /api/v2/meta/connection/test endpoint to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart