CVE-2026-53931 | NocoDB is software for building databases as spreadsheets. P… | CVSS 6.9 MEDIUM

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv satisfies the gate even though the underlying request is for another file. This vulnerability is fixed in 2026.05.1.

Metadata

CVE ID: CVE-2026-53931
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-11 15:46 UTC
Published: 2026-06-23 19:41 UTC
Last updated: 2026-06-23 19:41 UTC
Primary CWE: CWE-441
CWE-441: Unintended Proxy or Intermediary ('Confused Deputy'…
Vendor / Product: nocodb / nocodb
Sources: cve.org · NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
nocodb	nocodb	—	< 2026.05.1

Weakness (CWE)

CWE	Source	Description
CWE-441	cna	CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References (1)

https://github.com/nocodb/nocodb/security/advisories/GHSA-hmcr-rmjq-47qr https://github.com/nocodb/nocodb/security/advisories/GHSA-hmcr-rmjq-47qr