Improper Input Validation in nocodb/nocodb
Description
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in NocoDB prior to 0.96.0 allows table names exceeding database limits, potentially causing data loss.
Vulnerability
Details
CVE-2023-5104 is an improper input validation vulnerability in the table name field of NocoDB, a popular open-source Airtable alternative. Affecting versions prior to 0.96.0, the application fails to enforce database-specific length limits on table names when creating or renaming tables. This oversight can lead to table names that exceed the maximum length allowed by the underlying database engine.
The issue was addressed in commit db0385cb8aab2a34e233454607f59152ac62b3e2 [3], which introduced a validator that checks table names against the corresponding database limits: 64 characters for MySQL, 63 for PostgreSQL, and 128 for MSSQL [3]. The validator also accounts for any project prefix that might be prepended to the table name [3]. Prior to this fix, there were no such checks in place.
Impact
An authenticated attacker or even a regular user could create or rename a table with an excessively long name, leading to errors when the database attempts to store or reference the table. In some database configurations, this could result in data corruption or loss. The vulnerability is classified as improper input validation (CWE-20) and was discovered through the huntr.dev bug bounty program [4].
Mitigation
NocoDB released the fix in version 0.96.0. Users are strongly advised to upgrade to this version or later to prevent the vulnerability from being exploited. There are no known workarounds that do not involve patching the source code. As of the publication date (2023-09-21), no evidence of active exploitation in the wild has been reported.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nocodbnpm | < 0.96.0 | 0.96.0 |
Affected products
2- nocodb/nocodb/nocodbv5Range: unspecified
Patches
1db0385cb8aabfeat(gui-v2): add table name length validator
1 file changed · +20 −2
packages/nc-gui-v2/components/dlg/TableRename.vue+20 −2 modified@@ -24,8 +24,7 @@ const dialogShow = computed({ }) const { updateTab } = useTabs() -const { loadTables } = useProject() -const { tables } = useProject() +const { loadTables, tables, project, isMysql, isMssql, isPg } = useProject() const inputEl = $ref<any>() let loading = $ref(false) @@ -37,6 +36,25 @@ const validators = computed(() => { return { title: [ validateTableName, + { + validator: (rule: any, value: any) => { + return new Promise<void>((resolve, reject) => { + let tableNameLengthLimit = 255 + if (isMysql) { + tableNameLengthLimit = 64 + } else if (isPg) { + tableNameLengthLimit = 63 + } else if (isMssql) { + tableNameLengthLimit = 128 + } + const projectPrefix = project?.value?.prefix || '' + if ((projectPrefix + value).length > tableNameLengthLimit) { + return reject(new Error(`Table name exceeds ${tableNameLengthLimit} characters`)) + } + resolve() + }) + }, + }, { validator: (rule: any, value: any, callback: (errMsg?: string) => void) => { if (/^\s+|\s+$/.test(value)) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.