CVE-2026-47382
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 had a vulnerability that allowed opening a raw TCP socket to a user-supplied database host without validating the destination address. This enabled access to private and link-local addresses, including localhost.
Risk Assessment
Organizations could be exposed to unauthorized access to local resources, posing a risk of data leakage or attacks on infrastructure.
Recommendation
It is recommended to update NocoDB to version 2026.05.1 or later to mitigate this vulnerability.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.

