CVE-2026-53927
Deferred Deferred - Pending Action

Remote Code Execution in NocoDB

Vulnerability report for CVE-2026-53927, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL This vulnerability is fixed in 2026.05.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users with editor permissions to perform Server-Side Request Forgery (SSRF) attacks, potentially accessing internal HTTP endpoints and exfiltrating credentials on cloud hosts.

Such unauthorized access and potential data exfiltration could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and internal systems.

Therefore, if exploited, this vulnerability could compromise compliance with these standards by exposing sensitive information and failing to adequately protect internal resources.

Executive Summary

This vulnerability exists in NocoDB software versions prior to 2026.05.1. The issue is in the spreadsheet-fetch endpoint (axiosRequestMake), which accepted URLs containing a permitted extension anywhere in the path string. It used a custom regex blocklist that excluded only certain IP ranges (127.0.0.0/8 and 169.254.0.0/16), but this allowed an attacker to craft a URL that could reach the cloud-metadata endpoint, potentially exposing sensitive internal metadata.

The vulnerability was fixed in version 2026.05.1.

Impact Analysis

This vulnerability could allow an attacker to access internal cloud metadata endpoints by bypassing the URL filtering mechanism. Access to such metadata can lead to exposure of sensitive information about the cloud environment, which could be used to further compromise the system or escalate privileges.

Mitigation Strategies

To mitigate this vulnerability, update NocoDB to version 2026.05.1 or later, where the issue with the spreadsheet-fetch endpoint has been fixed.

Detection Guidance

This vulnerability is a Server-Side Request Forgery (SSRF) in NocoDB versions prior to 2026.05.1, specifically involving the spreadsheet-fetch endpoint (axiosRequestMake) that improperly validates URLs. Detection involves identifying attempts to exploit this endpoint by sending crafted URLs that access internal or cloud metadata endpoints.

To detect exploitation attempts on your system or network, you can monitor HTTP requests to the spreadsheet-fetch endpoint for suspicious URL patterns that include permitted extensions anywhere in the path, especially those targeting internal IP ranges such as 169.254.0.0/16 or 127.0.0.0/8.

Suggested commands to detect potential exploitation attempts include:

  • Using network traffic monitoring tools like tcpdump or Wireshark to filter HTTP requests to the vulnerable endpoint, for example: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'spreadsheet-fetch'
  • Searching web server logs for suspicious requests containing URLs with permitted extensions in unusual positions or targeting internal IP ranges, e.g.: grep -i 'spreadsheet-fetch' /var/log/nginx/access.log | grep -E '127\.0\.0\.1|169\.254\.'
  • Using curl or similar tools to test the endpoint with crafted URLs to verify if the system is vulnerable, for example: curl -v 'http://<nocodb-host>/spreadsheet-fetch?url=http://169.254.169.254/latest/meta-data/'

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53927. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart