NocoDB: Five CVEs Disclosed Together — Unauthenticated SSRF, Stored XSS, and Token Persistence Flaw

Key findings

Two SSRF bugs (CVE-2026-53931, CVE-2026-53927) were reachable without authentication
CVE-2026-53931 bypasses URL allowlist via query-string tricks like ?.csv
CVE-2026-53927 omits 127.0.0.0/8 and 169.254.0.0/16 from its blocklist
CVE-2026-53929 allows stored XSS via .html/.svg attachments when NC_SECURE_ATTACHMENTS=true
CVE-2026-53928: refresh tokens survive password-forgot flow, enabling JWT replay
All five CVEs patched in the same release; no in-the-wild exploitation reported

On June 17, 2026, NocoDB disclosed five security vulnerabilities spanning server-side request forgery (SSRF), stored cross-site scripting (XSS), and an authentication logic flaw. The batch, published within a two-minute window, affects the open-source Airtable alternative and includes two SSRF bugs that were reachable without authentication, raising the risk of internal network reconnaissance and cloud-metadata exfiltration for unpatched instances.

Three of the five CVEs are SSRF issues, all tied to how NocoDB handles external URLs during spreadsheet operations. CVE-2026-53931 targets the axiosRequestMake endpoint used by the spreadsheet-import feature. Before the fix, the endpoint was accessible without authentication, and its URL-extension allowlist was a regex tested against the full URL string — meaning a URL like https://example.com/robots.txt?.csv would pass the check, allowing the server to be used as a generic HTTP proxy. CVE-2026-53927 is a closely related SSRF in the spreadsheet-fetch endpoint, also via axiosRequestMake. Its hand-rolled regex blocklist omitted the 127.0.0.0/8 and 169.254.0.0/16 ranges, making it possible to reach cloud-metadata endpoints (e.g., the AWS IMDS) with a crafted URL. CVE-2026-53930 takes a different path: the base-migration endpoint accepts a caller-supplied URL that the migration worker dereferences without enforcing protocol or destination, enabling scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations. This endpoint is restricted to the workspace-owner role, limiting its attack surface compared to the unauthenticated SSRF bugs.

The remaining two CVEs address different attack surfaces. CVE-2026-53929 is a stored XSS vulnerability that arises when NC_SECURE_ATTACHMENTS=true. An authenticated uploader can deliver .html or .svg attachments that the browser renders inline from the NocoDB origin instead of forcing a download, because the signed-attachment handler stores response-header overrides under PascalCase keys (ResponseContentDisposition instead of response-content-disposition), which S3 ignores. CVE-2026-53928 is an authentication logic flaw: a stolen refresh token survives a password-forgot flow and can be used to mint fresh JWTs even after the user resets their password. The passwordChange and passwordReset endpoints properly delete the user's refresh tokens, but passwordForgot only rotates token_version and revokes OAuth tokens — it does not clear existing refresh tokens, leaving a window for token replay.

NocoDB has released patches for all five CVEs. Users should update to the latest version immediately. No in-the-wild exploitation has been reported at the time of disclosure, but the unauthenticated SSRF bugs (CVE-2026-53931 and CVE-2026-53927) are particularly dangerous in cloud deployments where internal metadata services are accessible. Administrators should also review attachment-storage configurations and consider rotating any existing refresh tokens after applying the patch for CVE-2026-53928.

This batch underscores the risks of custom URL-validation logic in low-code platforms. The SSRF bugs share a root cause — regex-based allowlists that can be bypassed with query-string tricks or omitted IP ranges — while the XSS and token-persistence flaws highlight edge cases in feature-specific code paths. NocoDB users should treat this disclosure as a prompt to audit any exposed instances and ensure the latest security update is applied.