CVE Catalog

CVE-2026-47382

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile - higher than 11% of all known CVEs

Summary

NocoDB prior to version 2026.05.1 had a vulnerability that allowed opening a raw TCP socket to a user-supplied database host without validating the destination address. This enabled access to private and link-local addresses, including localhost.

Risk Assessment

Organizations could be exposed to unauthorized access to local resources, posing a risk of data leakage or attacks on infrastructure.

Recommendation

It is recommended to update NocoDB to version 2026.05.1 or later to mitigate this vulnerability.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS