CVE-2026-47385
Received Received - Intake
SQLite Arbitrary File Read/Write in NocoDB

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47385
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects NocoDB software versions prior to 2026.05.1. An authenticated user with base-create permission can attach a SQLite source that points to any arbitrary file on the NocoDB host system, including NocoDB's own internal databases.

The SQLite client and related services accepted a user-supplied filename and used it to check for file existence and open the file for writing without restricting the file location. This allows the user to read or overwrite contents of important files such as noco.db or tenant databases, through the normal table APIs.

This vulnerability was fixed in version 2026.05.1.

Impact Analysis

This vulnerability can allow an authenticated user with limited permissions to read or modify sensitive database files on the NocoDB host. This could lead to unauthorized data access, data corruption, or data loss.

Since the user can overwrite internal databases, it may compromise the integrity and availability of the data managed by NocoDB.

Mitigation Strategies

To mitigate this vulnerability, upgrade NocoDB to version 2026.05.1 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47385. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart