GHSA-RVP5-9P55-F5RP
Vulnerability from github – Published: 2026-06-05 16:00 – Updated: 2026-06-05 16:00Summary
The client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/…) also satisfy that check, so a crafted link such as https://nocodb.example/#//attacker.com/phishing silently redirected visitors to an attacker-controlled origin.
Details
In packages/nc-gui/plugins/hashRedirect.client.ts, the plugin extracted the hash content and normalised it into cleanUrl:
let cleanUrl = hashPath.startsWith('/') ? hashPath : `/${hashPath}`
if (hashQuery) cleanUrl += `?${hashQuery}`
window.location.replace(cleanUrl)
startsWith('/') returns true for //attacker.com/..., which browsers interpret as a protocol-relative absolute URL. No hostname check was performed before the redirect. The fix adds an early if (/^\/[/\\]/.test(hashPath)) return to reject protocol-relative paths.
Impact
- Open redirect from any NocoDB origin to an attacker-controlled domain.
- No authentication required; the attack lands the victim on an attacker-controlled page that may impersonate a NocoDB login.
Credit
This issue was reported by @fg0x0.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.04.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47377"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T16:00:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith(\u0027/\u0027)`. Protocol-relative URLs (`//attacker.com/\u2026`) also satisfy that check, so a crafted link such as `https://nocodb.example/#//attacker.com/phishing` silently redirected visitors to an attacker-controlled origin.\n\n### Details\n\nIn `packages/nc-gui/plugins/hashRedirect.client.ts`, the plugin extracted the hash content and normalised it into `cleanUrl`:\n\n```ts\nlet cleanUrl = hashPath.startsWith(\u0027/\u0027) ? hashPath : `/${hashPath}`\nif (hashQuery) cleanUrl += `?${hashQuery}`\nwindow.location.replace(cleanUrl)\n```\n\n`startsWith(\u0027/\u0027)` returns true for `//attacker.com/...`, which browsers interpret as a protocol-relative absolute URL. No hostname check was performed before the redirect. The fix adds an early `if (/^\\/[/\\\\]/.test(hashPath)) return` to reject protocol-relative paths.\n\n### Impact\n\n- Open redirect from any NocoDB origin to an attacker-controlled domain.\n- No authentication required; the attack lands the victim on an attacker-controlled page that may impersonate a NocoDB login.\n\n### Credit\n\nThis issue was reported by [@fg0x0](https://github.com/fg0x0).",
"id": "GHSA-rvp5-9p55-f5rp",
"modified": "2026-06-05T16:00:15Z",
"published": "2026-06-05T16:00:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-rvp5-9p55-f5rp"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.04.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.