GHSA-GPRH-27J3-G5H4

Vulnerability from github – Published: 2026-06-17 14:06 – Updated: 2026-06-17 14:06
VLAI
Summary
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
Details

Summary

The spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL.

Details

The extension matcher is now anchored to the end of the path or immediately before the query string (/\.(xls|xlsx|xlsm|ods|ots)(\?|$)/i and /\.(csv)(\?|$)/i), so http://169.254.169.254/credentials/.xlsx no longer satisfies the format gate. The hand-rolled IP blocklist is removed in favour of useAgent(url) from request-filtering-agent, which blocks private and loopback ranges at the socket layer.

Impact

Authenticated users with editor permission could read cloud metadata and other internal HTTP endpoints reachable from the NocoDB process. On affected installs the spreadsheet import path was a credential-exfiltration primitive on cloud hosts.

Credit

This issue was reported by Devel Group Security Research Team through @TREXNEGRO. It was independently reported by @l3tchupkt.

Severity
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53927"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T14:06:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path\ncontained a permitted extension anywhere in the string, and applied a hand-rolled\nregex blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`, allowing the\ncloud-metadata endpoint to be reached with a crafted URL.\n\n### Details\nThe extension matcher is now anchored to the end of the path or immediately before\nthe query string (`/\\.(xls|xlsx|xlsm|ods|ots)(\\?|$)/i` and `/\\.(csv)(\\?|$)/i`), so\n`http://169.254.169.254/credentials/.xlsx` no longer satisfies the format gate. The\nhand-rolled IP blocklist is removed in favour of `useAgent(url)` from\n`request-filtering-agent`, which blocks private and loopback ranges at the socket\nlayer.\n\n### Impact\nAuthenticated users with editor permission could read cloud metadata and other\ninternal HTTP endpoints reachable from the NocoDB process. On affected installs the\nspreadsheet import path was a credential-exfiltration primitive on cloud hosts.\n\n### Credit\nThis issue was reported by Devel Group Security Research Team through [@TREXNEGRO](https://github.com/TREXNEGRO).\nIt was independently reported by [@l3tchupkt](https://github.com/l3tchupkt).",
  "id": "GHSA-gprh-27j3-g5h4",
  "modified": "2026-06-17T14:06:43Z",
  "published": "2026-06-17T14:06:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-gprh-27j3-g5h4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.