Moderate severityOSV Advisory· Published Jan 28, 2026· Updated Jan 29, 2026
NocoDB Vulnerable to Prototype Pollution in Connection Test Endpoint, Leading to DoS
CVE-2026-24766
Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nocodbnpm | < 0.301.0 | 0.301.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-95ff-46g6-6gw9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24766ghsaADVISORY
- github.com/nocodb/nocodb/releases/tag/0.301.0ghsaWEB
- github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.