CVE-2026-47385 nocodb CVE debrief

Who should care

Users of NocoDB, especially those with base-create permissions, should be aware of this vulnerability and take steps to protect themselves. This includes updating to version 2026.05.1 or later and being cautious when attaching new sources. Security teams should also be aware of this vulnerability and monitor for potential exploitation.

Technical summary

The vulnerability in NocoDB allows an authenticated user with base-create permission to attach a SQLite source pointing at an arbitrary file on the NocoDB host. This is possible because the SQLite client and base/integration create services accept a caller-supplied filename and pass it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.

Defensive priority

This vulnerability has a medium CVSS score of 5.3, indicating that it should be prioritized for remediation. Users should update to version 2026.05.1 or later as soon as possible to prevent exploitation.

Recommended defensive actions

• Update to version 2026.05.1 or later
• Be cautious when attaching new sources
• Monitor for potential exploitation
• Restrict permissions for base-create users
• Implement additional security measures to prevent arbitrary file access

Evidence notes

The evidence for this vulnerability comes from the NVD and CVE.org. The vulnerability is fixed in version 2026.05.1. The CVSS score for this vulnerability is 5.3, indicating a medium severity. There is limited information available about the vulnerability, so users should be cautious when attaching new sources.

Official resources