PatchSiren cyber security CVE debrief
CVE-2026-47387 nocodb CVE debrief
CVE-2026-47387 is a vulnerability in NocoDB, a software for building databases as spreadsheets. Prior to version 2026.05.1, the shared form-view submit handler in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. This allows an attacker with editor role (or above) on any base to plant a JavaScript URL in the form's redirect_url. When an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage['nocodb-gui-v2']. The vulnerability is fixed in version 2026.05.1.
- Vendor
- nocodb
- Product
- Unknown
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-25
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-25
Who should care
Users of NocoDB, especially those with editor role (or above) on any base, should be aware of this vulnerability and take necessary actions to protect themselves. This vulnerability can be exploited by an attacker to execute malicious JavaScript code in the NocoDB origin, potentially leading to unauthorized access to sensitive information. Administrators of NocoDB instances should ensure that they are running version 2026.05.1 or later to mitigate this vulnerability.
Technical summary
The vulnerability in NocoDB arises from the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) which writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. This allows an attacker to plant a JavaScript URL in the form's redirect_url, which can be executed when an authenticated viewer opens the share-link and submits the form. The payload can read the session token from localStorage['nocodb-gui-v2'] in the NocoDB origin. The vulnerability is fixed in version 2026.05.1.
Defensive priority
High priority should be given to updating NocoDB instances to version 2026.05.1 or later. In the meantime, administrators should monitor their NocoDB instances for any suspicious activity and ensure that only authorized users have access to the editor role (or above).
Recommended defensive actions
- Update NocoDB instances to version 2026.05.1 or later.
- Monitor NocoDB instances for suspicious activity.
- Ensure only authorized users have access to the editor role (or above).
- Review and restrict the use of JavaScript URLs in form redirect URLs.
- Implement additional security measures to protect against unauthorized access to sensitive information.
Evidence notes
The vulnerability is confirmed by the CVE record and the NVD detail. The source item URL provides additional information about the vulnerability, including the CVSS vector and weaknesses. The reference URL from GitHub provides further details about the vulnerability and the fix.
Official resources
-
CVE-2026-47387 CVE record
CVE.org
-
CVE-2026-47387 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.