CVE-2026-53931
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 had a vulnerability that allowed the spreadsheet-import endpoint axiosRequestMake to be used as a generic HTTP proxy. This endpoint was accessible unauthenticated, enabling unauthorized access.
Risk Assessment
Organizations could be exposed to unauthorized data access through this vulnerability, potentially leading to information leaks or attacks on other services.
Recommendation
It is recommended to update NocoDB to version 2026.05.1 or later to eliminate this vulnerability and implement additional security measures such as authentication for endpoints.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv satisfies the gate even though the underlying request is for another file. This vulnerability is fixed in 2026.05.1.

