CVE-2026-53930
Received Received - Intake
Path Traversal in NocoDB Prior to 2026.05.1

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations. This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53930
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed in NocoDB version 2026.05.1. Immediate mitigation involves upgrading NocoDB to version 2026.05.1 or later.

Executive Summary

The vulnerability in NocoDB prior to version 2026.05.1 involves the base-migration endpoint accepting a URL provided by the caller. The migration worker then dereferences this URL without enforcing restrictions on the protocol or destination.

This lack of enforcement allows an attacker to abuse different URL schemes such as file:, ftp:, and others, potentially enabling them to probe internal HTTP destinations.

This issue is fixed in version 2026.05.1.

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized probing of internal network resources by abusing the URL schemes accepted by the base-migration endpoint.

Such probing could lead to information disclosure about internal HTTP destinations that are not intended to be exposed externally.

While the CVSS score indicates a moderate severity (5.1), the impact includes potential exposure of internal network details which could be leveraged in further attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53930. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart