CVE-2026-24766
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2026-24766, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-28

Last updated on: 2026-02-04

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-28
Last Modified
2026-02-04
Generated
2026-07-06
AI Q&A
2026-01-29
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 0.301.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in NocoDB allows an authenticated user with org-level-creator permissions to exploit prototype pollution via the /api/v2/meta/connection/test endpoint. This causes all database write operations to fail across the application until the server is restarted. Although it bypasses SUPER_ADMIN authorization checks, no privileged actions can be performed because database operations fail immediately after the pollution.

Impact Analysis

The vulnerability causes all database write operations to fail application-wide until the server is restarted, which can disrupt normal database functionality and availability. This could lead to denial of service for write operations, impacting the application's reliability and user experience.

Mitigation Strategies

Upgrade NocoDB to version 0.301.0 or later, as this version patches the prototype pollution vulnerability. Until the upgrade, restrict authenticated users with org-level-creator permissions from accessing the /api/v2/meta/connection/test endpoint to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart