Description

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue.

INFO

Published Date :

2026-01-28T20:27:42.819Z

Last Modified :

2026-01-29T18:01:30.160Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24766 vulnerability.

Vendors Products
Nocodb
  • Nocodb
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24766.

URL Resource
https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact