CVE-2026-53927
MediumCVSS 5.1Exploitation Probability (EPSS)
Low risk20th percentile - higher than 20% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 had a vulnerability in the spreadsheet-fetch endpoint (axiosRequestMake) that accepted URLs with a permitted extension anywhere in the string. This allowed access to the cloud-metadata endpoint via a crafted URL.
Risk Assessment
Organizations may be exposed to unauthorized access to sensitive cloud data, potentially leading to information leaks or privacy breaches.
Recommendation
It is recommended to update NocoDB to version 2026.05.1 or later to mitigate this vulnerability.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL This vulnerability is fixed in 2026.05.1.

