CVE-2026-24768
📋 TL;DR
NocoDB versions before 0.301.0 contain an open redirect vulnerability in the login flow. Attackers can redirect authenticated users to malicious websites after login, enabling phishing attacks. This affects all NocoDB instances running vulnerable versions.
💻 Affected Systems
- NocoDB
📦 What is this software?
Nocodb by Nocodb
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to convincing phishing sites that steal credentials or install malware, leading to account compromise and potential data breaches.
Likely Case
Attackers create convincing phishing pages that harvest user credentials through social engineering, compromising individual accounts.
If Mitigated
Users are redirected only to trusted domains, preventing external phishing attacks while maintaining legitimate redirect functionality.
🎯 Exploit Status
Exploitation requires user interaction (login) but is technically simple once the malicious redirect URL is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.301.0
Vendor Advisory: https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj
Restart Required: Yes
Instructions:
1. Backup your NocoDB instance and data. 2. Update NocoDB to version 0.301.0 or later using your deployment method (npm, Docker, etc.). 3. Restart the NocoDB service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Proxy
allDeploy a reverse proxy or WAF that validates and filters the continueAfterSignIn parameter to allow only trusted domains.
Login Flow Modification
allModify the login flow to remove or hardcode the redirect functionality, eliminating the vulnerable parameter.
🧯 If You Can't Patch
- Implement network segmentation to isolate NocoDB from sensitive systems and limit user access.
- Deploy security awareness training to educate users about phishing risks and verify URLs before entering credentials.
🔍 How to Verify
Check if Vulnerable:
Check if the NocoDB version is below 0.301.0 by examining the application interface or deployment configuration.Check Version:
Check the NocoDB web interface settings or run: npm list nocodb (if installed via npm) or docker inspect <container> | grep versionVerify Fix Applied:
After updating, confirm the version is 0.301.0 or higher and test that redirects to external domains in the continueAfterSignIn parameter are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in authentication logs
- Login requests with external URLs in the continueAfterSignIn parameter
Network Indicators:
- Outbound connections to unexpected domains immediately after login
- HTTP 302 redirects to non-NocoDB domains
SIEM Query:
source="nocodb" AND (url="*continueAfterSignIn=*" AND NOT url="*continueAfterSignIn=*/dashboard*")