CVE-2026-47385
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk24th percentile - higher than 24% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 allowed authenticated users with base-create permissions to attach a SQLite source pointing at any file on the NocoDB host, including NocoDB's internal databases. Users could point to noco.db or other databases, enabling them to read or overwrite their contents.
Risk Assessment
This vulnerability poses a serious risk to data integrity, as users could unauthorizedly modify or access sensitive information in the databases.
Recommendation
It is recommended to upgrade NocoDB to version 2026.05.1 or later to mitigate this vulnerability and to restrict user permissions for creating databases.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.

