CVE-2026-53927
Received Received - Intake
Remote Code Execution in NocoDB

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53927
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoDB software versions prior to 2026.05.1. The issue is in the spreadsheet-fetch endpoint (axiosRequestMake), which accepted URLs containing a permitted extension anywhere in the path string. It used a custom regex blocklist that excluded only certain IP ranges (127.0.0.0/8 and 169.254.0.0/16), but this allowed an attacker to craft a URL that could reach the cloud-metadata endpoint, potentially exposing sensitive internal metadata.

The vulnerability was fixed in version 2026.05.1.

Impact Analysis

This vulnerability could allow an attacker to access internal cloud metadata endpoints by bypassing the URL filtering mechanism. Access to such metadata can lead to exposure of sensitive information about the cloud environment, which could be used to further compromise the system or escalate privileges.

Mitigation Strategies

To mitigate this vulnerability, update NocoDB to version 2026.05.1 or later, where the issue with the spreadsheet-fetch endpoint has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53927. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart