{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T03:53:52.021","vulnerabilities":[{"cve":{"id":"CVE-2026-24766","sourceIdentifier":"security-advisories@github.com","published":"2026-01-28T21:16:12.103","lastModified":"2026-02-04T20:06:08.177","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue."},{"lang":"es","value":"NocoDB es un software para construir bases de datos como hojas de cálculo. Antes de la versión 0.301.0, un usuario autenticado con permisos de creador a nivel de organización puede explotar la contaminación de prototipos en el endpoint '/api/v2/meta/connection/test', provocando que todas las operaciones de escritura de la base de datos fallen en toda la aplicación hasta el reinicio del servidor. Aunque la contaminación técnicamente elude las comprobaciones de autorización de SUPER_ADMIN, no se pueden realizar acciones privilegiadas prácticas porque las operaciones de la base de datos fallan inmediatamente después de la contaminación. La versión 0.301.0 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H","baseScore":4.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1321"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*","versionEndExcluding":"0.301.0","matchCriteriaId":"5E17808E-7686-4232-8ADC-D8C548B7F9F0"}]}]}],"references":[{"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9","source":"security-advisories@github.com","tags":["Vendor Advisory","Exploit"]}]}}]}