CVE-2026-47385
Deferred Deferred - Pending Action

SQLite Arbitrary File Read/Write in NocoDB

Vulnerability report for CVE-2026-47385, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-14
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user with base-create permission to read or overwrite arbitrary files on the NocoDB host, including internal databases. Such unauthorized access and modification of data could lead to breaches of data confidentiality and integrity.

As a result, this vulnerability may impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to sensitive data and the integrity of stored information.

Executive Summary

This vulnerability affects NocoDB software versions prior to 2026.05.1. An authenticated user with base-create permission can attach a SQLite source that points to any arbitrary file on the NocoDB host system, including NocoDB's own internal databases.

The SQLite client and related services accepted a user-supplied filename and used it to check for file existence and open the file for writing without restricting the file location. This allows the user to read or overwrite contents of important files such as noco.db or tenant databases, through the normal table APIs.

This vulnerability was fixed in version 2026.05.1.

Impact Analysis

This vulnerability can allow an authenticated user with limited permissions to read or modify sensitive database files on the NocoDB host. This could lead to unauthorized data access, data corruption, or data loss.

Since the user can overwrite internal databases, it may compromise the integrity and availability of the data managed by NocoDB.

Mitigation Strategies

To mitigate this vulnerability, upgrade NocoDB to version 2026.05.1 or later, where the issue is fixed.

Detection Guidance

This vulnerability involves an authenticated user with base-create permission attaching a SQLite source pointing to arbitrary files on the NocoDB host. Detection involves monitoring for unusual or unauthorized SQLite source attachments referencing sensitive or internal database files.

To detect exploitation attempts, you can audit NocoDB logs for base-create actions where the SQLite source filename parameter points to unexpected or sensitive paths such as 'noco.db' or directories like 'nc_minimal_dbs/'.

Since the vulnerability involves filesystem access via user-supplied filenames, commands to check for suspicious files or processes might include:

  • Review NocoDB application logs for base-create operations with suspicious file paths.
  • Use grep or similar tools to search logs for keywords like 'noco.db' or 'nc_minimal_dbs' in SQLite source attachments.
  • Example command to search logs: grep -iE 'base-create.*(noco\.db|nc_minimal_dbs)' /path/to/nocodb/logs/*
  • Monitor filesystem access to sensitive database files using tools like auditd or inotify to detect unexpected write or open operations.
  • Check for unusual network activity or API calls that involve creating or modifying SQLite sources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47385. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart