CVE-2026-53930
Deferred Deferred - Pending Action

Path Traversal in NocoDB Prior to 2026.05.1

Vulnerability report for CVE-2026-53930, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations. This vulnerability is fixed in 2026.05.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed in NocoDB version 2026.05.1. Immediate mitigation involves upgrading NocoDB to version 2026.05.1 or later.

Compliance Impact

The provided information does not specify how CVE-2026-53930 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability in NocoDB prior to version 2026.05.1 involves the base-migration endpoint accepting a URL provided by the caller. The migration worker then dereferences this URL without enforcing restrictions on the protocol or destination.

This lack of enforcement allows an attacker to abuse different URL schemes such as file:, ftp:, and others, potentially enabling them to probe internal HTTP destinations.

This issue is fixed in version 2026.05.1.

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized probing of internal network resources by abusing the URL schemes accepted by the base-migration endpoint.

Such probing could lead to information disclosure about internal HTTP destinations that are not intended to be exposed externally.

While the CVSS score indicates a moderate severity (5.1), the impact includes potential exposure of internal network details which could be leveraged in further attacks.

Detection Guidance

Detection of CVE-2026-53930 involves identifying attempts to exploit the base-migration endpoint by supplying URLs with non-HTTP/HTTPS schemes or targeting internal/private network destinations.

You can monitor network traffic or application logs for requests to the base-migration endpoint that include unusual URL schemes such as file:, ftp:, or internal IP addresses.

Suggested commands to detect potential exploitation attempts include:

  • Using grep to search application logs for suspicious URL schemes or internal IPs: grep -E 'file:|ftp:|127\.0\.0\.1|192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])' /path/to/nocodb/logs/*
  • Using network monitoring tools like tcpdump to capture traffic to the base-migration endpoint and filter for suspicious URLs: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -E 'base-migration.*(file:|ftp:|127\.0\.0\.1|192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1]))'
  • Reviewing HTTP access logs for requests to the base-migration endpoint with unusual URL parameters.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53930. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart