CVE-2022-2062 – This vulnerability in NocoDB prior to version 0... (How to Fix)

Q: What is the severity of CVE-2022-2062?

CVE-2022-2062 has a CVSS score of 7.5 (HIGH). This vulnerability in NocoDB prior to version 0.91.7+ allows error messages to expose sensitive information. Attackers can exploit this to obtain internal system details that could facilitate further attacks. All users running vulnerable versions of NocoDB are affected.

📋 TL;DR

This vulnerability in NocoDB prior to version 0.91.7+ allows error messages to expose sensitive information. Attackers can exploit this to obtain internal system details that could facilitate further attacks. All users running vulnerable versions of NocoDB are affected.

💻 Affected Systems

Products:

NocoDB

Versions: All versions prior to 0.91.7+

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments of NocoDB regardless of configuration.

📦 What is this software?

Nocodb by Nocodb

View all CVEs affecting Nocodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive information disclosure leads to full system compromise through follow-up attacks using exposed credentials or system details.

🟠

Likely Case

Information disclosure revealing internal system architecture, configuration details, or partial data that aids attackers in reconnaissance.

🟢

If Mitigated

Limited exposure of non-critical information with proper error handling and logging controls.

🌐 Internet-Facing: HIGH - Web applications are directly accessible and error messages can be triggered remotely.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this but require network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves triggering error conditions to reveal sensitive information in error responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.91.7+

Vendor Advisory: https://github.com/nocodb/nocodb/commit/a18f5dd53811b9ec1c1bb2fdbfb328c0c87d7fb4

Restart Required: Yes

Instructions:

1. Update NocoDB to version 0.91.7 or later. 2. Restart the NocoDB service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Error Message Sanitization

all

Implement custom error handling middleware to sanitize error messages before returning to users.

Web Application Firewall

all

Deploy WAF rules to filter error responses containing sensitive information.

🧯 If You Can't Patch

Implement network segmentation to restrict access to NocoDB instances.
Enable detailed logging and monitoring for error message patterns.

🔍 How to Verify

Check if Vulnerable:

Check NocoDB version via web interface or API. If version is below 0.91.7, system is vulnerable.

Check Version:

Check web interface or use API endpoint to query version.

Verify Fix Applied:

After updating, test error conditions to ensure no sensitive information appears in error messages.

📡 Detection & Monitoring

Log Indicators:

Error responses containing sensitive data like paths, configuration details, or internal information

Network Indicators:

HTTP responses with detailed error messages containing internal system information

SIEM Query:

http.status_code >= 400 AND http.response_body CONTAINS 'sensitive' OR 'path' OR 'config'

📊 Metadata

CVE ID: CVE-2022-2062

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-209

Published: June 13, 2022

Last Updated: August 26, 2025

🔗 References

https://github.com/nocodb/nocodb/commit/a18f5dd53811b9ec1c1bb2fdbfb328c0c87d7fb4 Patch,Third Party Advisory
https://huntr.dev/bounties/35593b4c-f127-4699-8ad3-f0b2203a8ef6 Exploit,Patch,Third Party Advisory
https://github.com/nocodb/nocodb/commit/a18f5dd53811b9ec1c1bb2fdbfb328c0c87d7fb4 Patch,Third Party Advisory
https://huntr.dev/bounties/35593b4c-f127-4699-8ad3-f0b2203a8ef6 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-2062, you might also want to check these: