{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24766", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-26T21:06:47.868Z", "datePublished": "2026-01-28T20:27:42.819Z", "dateUpdated": "2026-01-29T18:01:30.160Z"}, "containers": {"cna": {"title": "NocoDB Vulnerable to Prototype Pollution in Connection Test Endpoint, Leading to DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9"}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"version": "< 0.301.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T20:27:42.819Z"}, "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue."}], "source": {"advisory": "GHSA-95ff-46g6-6gw9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T16:03:33.565162Z", "id": "CVE-2026-24766", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T18:01:30.160Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24766", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T16:03:33.565162Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T16:03:36.099Z"}}], "cna": {"title": "NocoDB Vulnerable to Prototype Pollution in Connection Test Endpoint, Leading to DoS", "source": {"advisory": "GHSA-95ff-46g6-6gw9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"status": "affected", "version": "< 0.301.0"}]}], "references": [{"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9", "name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T20:27:42.819Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24766", "state": "PUBLISHED", "dateUpdated": "2026-01-29T18:01:30.160Z", "dateReserved": "2026-01-26T21:06:47.868Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-28T20:27:42.819Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E17808E-7686-4232-8ADC-D8C548B7F9F0", "versionEndExcluding": "0.301.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue."}], "id": "CVE-2026-24766", "lastModified": "2026-02-04T20:06:08.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-28T21:16:12.103", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:39:44.366187+00:00", "value": {"mitigation_remediation": ["Upgrade NocoDB to version 0.301.0 or later where the prototype pollution is fixed.", "Revoke org\u2011level\u2011creator permissions for users who do not require them and enforce stricter role\u2011based access controls.", "Monitor application and HTTP logs for frequent or abnormal use of the /api/v2/meta/connection/test endpoint and apply rate limiting or temporary blocking if suspicious activity is detected."], "summary": {"action": "Apply Patch", "impact": "Denial of Service caused by prototype pollution that disables all database write operations"}, "threat_synthesis": {"affected_systems": "NocoDB, software used for building databases as spreadsheets. All versions running before 0.301.0 are affected, regardless of environment or deployment. The vulnerability does not affect other vendors or unrelated products.", "description_and_impact": "The vulnerability is a prototype pollution flaw in the /api/v2/meta/connection/test endpoint that can be triggered by an authenticated user with org\u2011level\u2011creator permissions. After the pollution occurs, every database write operation fails across the entire application until the server is restarted, effectively preventing data persistence. The weakness is classified as CWE\u20111321.", "risk_and_exploitability": "The CVSS score of 4.9 places it in the low severity range, and the EPSS score of less than 1% indicates a very low but non\u2011zero likelihood of exploitation in the wild. NocoDB is not currently listed in the CISA KEV catalog. An attacker must authenticate as an org\u2011level\u2011creator, which limits the attack surface; however, once authenticated, the attacker can cause a denial of service by corrupting prototype data, requiring a server restart to regain normal operation."}}}}, "created": "2026-01-29T09:08:51.608546+00:00", "updated": "2026-04-18T01:45:33.400502+00:00", "vendors": ["nocodb", "nocodb$PRODUCT$nocodb"]}