CVE-2026-24769
📋 TL;DR
Authenticated users can upload malicious SVG files containing JavaScript in NocoDB versions before 0.301.0. When other users view these attachments, the JavaScript executes in their browsers, potentially compromising accounts, stealing data, or performing unauthorized actions. This affects all NocoDB instances running vulnerable versions.
💻 Affected Systems
- NocoDB
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data exfiltration of all database content, and unauthorized administrative actions performed on behalf of compromised users.
Likely Case
Session hijacking, data theft from accessible databases, and unauthorized modifications to database content.
If Mitigated
Limited impact if proper input validation and content security policies are enforced, though stored XSS remains dangerous.
🎯 Exploit Status
Exploitation requires authenticated user access to upload malicious SVG files. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.301.0
Vendor Advisory: https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr
Restart Required: Yes
Instructions:
1. Backup your NocoDB instance and data. 2. Update NocoDB to version 0.301.0 or later using your deployment method (Docker, npm, etc.). 3. Restart the NocoDB service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable SVG uploads
allConfigure NocoDB to block SVG file uploads through attachment handling settings or web server configuration.
Configure NocoDB settings to reject SVG MIME types or implement web server rules to block *.svg uploads
Implement Content Security Policy
allAdd CSP headers to prevent inline script execution from uploaded files.
Add 'Content-Security-Policy: script-src 'self'' header to NocoDB responses
🧯 If You Can't Patch
- Restrict user permissions to limit who can upload attachments
- Implement web application firewall rules to detect and block malicious SVG content
🔍 How to Verify
Check if Vulnerable:
Check NocoDB version via web interface or API. If version is below 0.301.0, the system is vulnerable.Check Version:
Check NocoDB web interface settings or use API endpoint /api/v1/meta/versionVerify Fix Applied:
After updating, confirm version is 0.301.0 or higher and test SVG upload functionality to ensure scripts are not executed.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads from authenticated users
- Multiple attachment uploads from single user in short time
Network Indicators:
- HTTP POST requests with SVG files containing script tags
- Unexpected outbound connections after viewing attachments
SIEM Query:
source="nocodb" AND (file_extension="svg" OR mime_type="image/svg+xml")