CVE-2026-24766 Overview
NocoDB is software for building databases as spreadsheets. A prototype pollution vulnerability exists in NocoDB versions prior to 0.301.0 that allows an authenticated user with org-level-creator permissions to exploit the /api/v2/meta/connection/test endpoint. This attack causes all database write operations to fail application-wide until a server restart is performed. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.
Critical Impact
Authenticated attackers can trigger a complete denial of service for all database write operations, requiring server restart to restore functionality.
Affected Products
- NocoDB versions prior to 0.301.0
Discovery Timeline
- 2026-01-28 - CVE CVE-2026-24766 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24766
Vulnerability Analysis
This vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), commonly known as Prototype Pollution. The flaw exists in the connection testing endpoint (/api/v2/meta/connection/test) of NocoDB, which fails to properly sanitize user-controlled input before processing it in a way that modifies JavaScript object prototypes.
When exploited, the prototype pollution corrupts the base Object prototype in the Node.js runtime environment. This corruption propagates throughout the application, causing all subsequent database write operations to fail. The attack effectively renders the entire NocoDB instance unusable for any data modification tasks until administrators perform a complete server restart.
Although the prototype pollution bypasses certain SUPER_ADMIN authorization checks in the codebase, this authorization bypass provides no practical advantage to attackers since the immediate side effect of the pollution is the failure of all database operations, including any privileged actions the attacker might attempt.
Root Cause
The root cause is improper input validation and sanitization in the /api/v2/meta/connection/test endpoint. The endpoint processes user-supplied connection configuration data without adequately protecting against prototype pollution payloads. When malicious properties such as __proto__ or constructor.prototype are included in the request body, they modify the global Object prototype rather than being treated as regular data properties.
Attack Vector
The attack is network-based and requires authentication with org-level-creator permissions. An attacker with these privileges can send a specially crafted HTTP request to the vulnerable endpoint. The request contains a malicious JSON payload designed to pollute the JavaScript Object prototype.
The vulnerability manifests in the connection test functionality where user-supplied configuration objects are processed. For technical details on the specific exploitation mechanism, see the GitHub Security Advisory.
Detection Methods for CVE-2026-24766
Indicators of Compromise
- Unexpected HTTP requests to /api/v2/meta/connection/test containing __proto__ or constructor properties in request bodies
- Sudden, unexplained failures of all database write operations across the NocoDB instance
- Server logs showing authentication from org-level-creator accounts followed by widespread database errors
- Application restart requirements coinciding with suspicious connection test activity
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block JSON payloads containing prototype pollution signatures such as __proto__, constructor, and prototype
- Monitor API endpoint access patterns for unusual activity on the /api/v2/meta/connection/test endpoint
- Configure application-level logging to capture full request bodies for connection test operations
- Deploy runtime application self-protection (RASP) solutions capable of detecting prototype pollution attempts
Monitoring Recommendations
- Set up alerts for database write operation failure rates exceeding normal thresholds
- Monitor server restart frequency and correlate with user activity logs
- Implement audit logging for all org-level-creator account activities
- Track API response codes from the connection test endpoint for anomalous patterns
How to Mitigate CVE-2026-24766
Immediate Actions Required
- Upgrade NocoDB to version 0.301.0 or later immediately
- Review audit logs for any suspicious activity on the /api/v2/meta/connection/test endpoint
- Restrict org-level-creator permissions to only trusted users until patching is complete
- Implement network-level access controls to limit who can reach the vulnerable endpoint
Patch Information
Version 0.301.0 of NocoDB patches this vulnerability. The fix addresses the prototype pollution issue in the connection test endpoint by implementing proper input sanitization and object property handling. Users should upgrade to this version or later as soon as possible.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Implement a reverse proxy or WAF rule to block requests containing __proto__ or constructor strings in JSON payloads destined for /api/v2/meta/connection/test
- Temporarily disable or restrict access to the connection test functionality at the network level
- Limit org-level-creator role assignments to essential personnel only until the patch can be applied
- Consider implementing application-level middleware to sanitize incoming JSON payloads
# Example WAF rule concept for blocking prototype pollution payloads
# Adapt to your specific WAF solution (ModSecurity, AWS WAF, etc.)
# Block requests containing prototype pollution patterns
SecRule REQUEST_BODY "@rx (__proto__|constructor\.prototype)" \
"id:100001,phase:2,deny,status:403,\
msg:'Potential prototype pollution attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
