CVE-2026-47382
Received Received - Intake
TCP Socket Connection Bypass in NocoDB

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47382
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in NocoDB prior to version 2026.05.1 involves the connection-test endpoint opening a raw TCP socket to a user-supplied database host without properly resolving or range-checking the destination address.

This means that private and link-local IP addresses, including IPv4-mapped IPv6 forms and localhost addresses, could be reached by the driver, potentially allowing unintended access to internal or restricted network resources.

The issue was fixed in version 2026.05.1 by adding proper checks to prevent such connections.

Impact Analysis

This vulnerability could allow an attacker or user to connect to internal or private network addresses that should not be accessible, potentially exposing sensitive internal services or data.

By reaching private or link-local addresses through the connection-test endpoint, unauthorized access or information disclosure could occur, increasing the risk of network reconnaissance or exploitation of internal systems.

Mitigation Strategies

To mitigate this vulnerability, update NocoDB to version 2026.05.1 or later, where the issue with the connection-test endpoint has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47382. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart