CVE-2026-24768
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-02-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unvalidated redirect (open redirect) in NocoDB's login flow prior to version 0.301.0. It occurs because the `continueAfterSignIn` parameter is not validated, allowing attackers to redirect authenticated users to arbitrary external websites after login. This can be exploited to conduct phishing attacks by leveraging user trust in the legitimate login process. The vulnerability does not expose credentials directly or bypass authentication but increases the risk of credential theft through social engineering.
How can this vulnerability impact me? :
The vulnerability can impact you by enabling attackers to redirect authenticated users to malicious external sites after login, facilitating phishing attacks. This undermines the integrity of the authentication process and increases the likelihood of credential theft through social engineering. However, it does not allow attackers to execute arbitrary code or escalate privileges.
What immediate steps should I take to mitigate this vulnerability?
Upgrade NocoDB to version 0.301.0 or later, as this version fixes the unvalidated redirect vulnerability in the login flow by properly validating the `continueAfterSignIn` parameter.