CVE-2026-47385 in NocoDB
Summary
by MITRE • 06/24/2026
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/24/2026
This vulnerability exists within NocoDB software, a platform designed for creating database applications using spreadsheet-like interfaces. The flaw stems from insufficient input validation and access control mechanisms that allow authenticated users with base-create permissions to manipulate file system operations through the SQLite integration functionality. Prior to version 2026.05.1, the system failed to properly validate or restrict file paths provided by users during the database source attachment process, creating a critical path traversal and privilege escalation opportunity.
The technical implementation of this vulnerability involves the SQLite client component and base/integration creation services accepting user-supplied filenames without adequate sanitization or path restriction checks. When users attach a SQLite source, the system calls fs.exists and fs.open('w') functions directly with the provided filename parameter, bypassing proper file system access controls. This design flaw enables attackers to specify arbitrary file paths within the NocoDB host's file system, including sensitive internal database files such as noco.db or tenant-specific databases located under the nc_minimal_dbs/ directory structure.
The operational impact of this vulnerability is severe and multifaceted, potentially allowing authenticated attackers to read sensitive data from internal databases, modify critical application configuration files, or even overwrite core database files with malicious content. Attackers could exploit this weakness to extract confidential information, manipulate user data, or disrupt service availability by corrupting the underlying database structures. The vulnerability particularly affects environments where multiple tenants share the same NocoDB instance, as attackers could potentially access or modify other tenant's database files through the shared file system paths.
This vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (Restriction of Files with Dangerous Extensions), representing path traversal and privilege escalation risks within database integration components. From an ATT&CK framework perspective, this weakness maps to T1059 (Command and Scripting Interpreter) and T1566 (Phishing) as attackers could potentially leverage this access to escalate privileges or extract sensitive data through database manipulation techniques. The vulnerability also represents a failure in the principle of least privilege, where user-supplied input directly influences system-level file operations without appropriate sandboxing or validation.
The fix implemented in version 2026.05.1 addresses this issue by introducing proper path validation and restriction mechanisms that prevent users from accessing arbitrary file paths within the NocoDB host's file system. The updated implementation likely includes path normalization, directory whitelist validation, and proper access control checks before allowing file system operations to proceed. Organizations should immediately upgrade to version 2026.05.1 or later to remediate this vulnerability and ensure that all users with base-create permissions cannot manipulate internal database files through the SQLite integration feature. Additionally, administrators should review existing database attachments and validate that no unauthorized access has occurred since the vulnerability was first introduced in the affected versions.