CVE-2026-24766 MEDIUM

CVE-2026-24766: NocoDB Vulnerable to Prototype Pollution in Connection Test Endpoint, Leading to DoS

Vendor Nocodb
Product nocodb
Weakness CWE-1321
Published January 28, 2026
Last update January 29, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue.

Key dates

02Disclosure timeline

January 28, 2026 CVE published
January 29, 2026 Record updated