Nocodb: 14 Vulnerabilities Disclosed Together, Including XSS and SQL Injection
Nocodb experienced a significant disclosure event on June 5, 2026, with 14 vulnerabilities impacting its open-source no-code platform, ranging from stored XSS to SQL injection.
Key findings
- 14 vulnerabilities in Nocodb disclosed simultaneously on June 5, 2026.
- Issues include stored XSS, SQL injection, path traversal, and SSRF.
- XSS vulnerabilities found in form redirects, row comments, and password resets.
- SQL injection exploitable via column titles and formula functions.
- Authentication and authorization flaws include OAuth race conditions and user enumeration.
- Server-Side Request Forgery allows connections to arbitrary hosts.
Nocodb, an open-source no-code platform, was the subject of a large-scale vulnerability disclosure on June 5, 2026, with 14 distinct CVEs published within a short 28-minute window. These vulnerabilities, affecting various aspects of the platform, highlight potential risks for users who may not have updated their instances.
The disclosed vulnerabilities span a range of critical and high-severity issues, including cross-site scripting (XSS), SQL injection, path traversal, and server-side request forgery (SSRF).
Cross-Site Scripting (XSS) Vulnerabilities: Several XSS flaws were identified. CVE-2026-47387 details a stored XSS vulnerability in the form view's redirect URL, allowing an attacker to inject malicious JavaScript via a crafted redirect_url that would execute when an authenticated viewer interacted with the form. Similarly, CVE-2026-47383 describes another stored XSS in row comments, where malicious HTML persisted in comments could be executed when users hovered over them in an expanded form view. A reflected XSS vulnerability, CVE-2026-47376, was found in the password reset functionality, where a crafted token could break out of a JavaScript string literal and execute code.
SQL Injection and Path Traversal: Security researchers also uncovered SQL injection flaws. CVE-2026-47384 details an SQL injection vulnerability in the bulk groupBy endpoint, exploitable by authenticated users with column-create permission by manipulating column titles. Another SQL injection, CVE-2026-47375, affects Postgres-backed bases, allowing injection through the ARRAYSORT formula function's direction argument. Furthermore, CVE-2026-47385 highlights a path traversal vulnerability via SQLite source filenames, enabling authenticated users with base-create permission to attach SQLite sources pointing to arbitrary files on the Nocodb host.
Authentication and Authorization Issues: Several vulnerabilities touch upon authentication and authorization mechanisms. CVE-2026-47386 describes an OAuth authorization code race condition where concurrent token exchange requests could lead to the issuance of multiple valid token pairs, undermining the single-use guarantee. CVE-2026-47380 points to user enumeration via sign-in timing differences between known and unknown email addresses. CVE-2026-47379 reveals a plaintext password comparison fallback in shared views, potentially leaking password length and prefix through timing attacks for legacy passwords.
Server-Side Request Forgery and Information Exposure: CVE-2026-47382 details a Server-Side Request Forgery (SSRF) vulnerability in the connection-test endpoint, allowing attackers to connect to arbitrary hosts, including private and link-local addresses. CVE-2026-47381 describes a cross-workspace integration use in the connection test, where a user in one workspace could exploit another workspace's integration. Additionally, CVE-2026-47378 and CVE-2026-47279 highlight hidden column exposure in public shared-view endpoints, allowing unauthorized access to hidden data through various mechanisms.
Open Redirect: CVE-2026-47377 addresses an open redirect vulnerability in the hashRedirect plugin, exploitable via a crafted URL hash fragment that bypasses the initial path validation, leading to redirection to attacker-controlled domains.
These vulnerabilities were disclosed on June 5, 2026, with all CVEs published within a single, concentrated event. Users of Nocodb are strongly advised to review the specific CVE details and apply any available patches or updates to mitigate these risks.