CVE Catalog

CVE-2026-53931

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile - higher than 21% of all known CVEs

Summary

NocoDB prior to version 2026.05.1 had a vulnerability that allowed the spreadsheet-import endpoint axiosRequestMake to be used as a generic HTTP proxy. This endpoint was accessible unauthenticated, enabling unauthorized access.

Risk Assessment

Organizations could be exposed to unauthorized data access through this vulnerability, potentially leading to information leaks or attacks on other services.

Recommendation

It is recommended to update NocoDB to version 2026.05.1 or later to eliminate this vulnerability and implement additional security measures such as authentication for endpoints.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv satisfies the gate even though the underlying request is for another file. This vulnerability is fixed in 2026.05.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS