CVE-2026-47382 nocodb CVE debrief

Who should care

Organizations using NocoDB prior to version 2026.05.1 should be aware of this vulnerability and take steps to mitigate it. Specifically, defenders of applications built with NocoDB should review their configurations and ensure that the connection-test endpoint is properly secured. Additionally, users of NocoDB should upgrade to version 2026.05.1 or later to prevent exploitation.

Technical summary

The connection-test endpoint in NocoDB's prior versions allowed a user-supplied database host to be connected to without proper validation. This could lead to unauthorized access to private and link-local addresses. The vulnerability is due to the lack of resolution and range checking on the destination host. The issue has been addressed in version 2026.05.1. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Defenders should prioritize upgrading NocoDB to version 2026.05.1 or later. Additionally, defenders should review their configurations and ensure that the connection-test endpoint is properly secured to prevent exploitation.

Recommended defensive actions

• Upgrade NocoDB to version 2026.05.1 or later
• Review and secure the connection-test endpoint configuration
• Monitor for potential exploitation attempts
• Implement compensating controls to limit access to private and link-local addresses
• Perform regular vulnerability assessments and penetration testing

Evidence notes

The CVE-2026-47382 vulnerability was reported via the NVD Modified API. The CVE record and NVD detail pages provide additional information about the vulnerability. A source reference from GitHub also provides details about the advisory.

Official resources