CVE Catalog

CVE-2026-53927

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile - higher than 20% of all known CVEs

Summary

NocoDB prior to version 2026.05.1 had a vulnerability in the spreadsheet-fetch endpoint (axiosRequestMake) that accepted URLs with a permitted extension anywhere in the string. This allowed access to the cloud-metadata endpoint via a crafted URL.

Risk Assessment

Organizations may be exposed to unauthorized access to sensitive cloud data, potentially leading to information leaks or privacy breaches.

Recommendation

It is recommended to update NocoDB to version 2026.05.1 or later to mitigate this vulnerability.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL This vulnerability is fixed in 2026.05.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS