CVE-2026-24766
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-02-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in NocoDB allows an authenticated user with org-level-creator permissions to exploit prototype pollution via the /api/v2/meta/connection/test endpoint. This causes all database write operations to fail across the application until the server is restarted. Although it bypasses SUPER_ADMIN authorization checks, no privileged actions can be performed because database operations fail immediately after the pollution.
How can this vulnerability impact me? :
The vulnerability causes all database write operations to fail application-wide until the server is restarted, which can disrupt normal database functionality and availability. This could lead to denial of service for write operations, impacting the application's reliability and user experience.
What immediate steps should I take to mitigate this vulnerability?
Upgrade NocoDB to version 0.301.0 or later, as this version patches the prototype pollution vulnerability. Until the upgrade, restrict authenticated users with org-level-creator permissions from accessing the /api/v2/meta/connection/test endpoint to prevent exploitation.