CVE-2026-28359 Overview
CVE-2026-28359 is an HTML Injection vulnerability affecting NocoDB, software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This vulnerability enables stored Cross-Site Scripting (XSS) attacks that could affect other users viewing the malicious content.
Critical Impact
Authenticated attackers can inject malicious HTML content that executes in the context of other users' sessions, potentially leading to session hijacking, credential theft, or unauthorized actions within the NocoDB application.
Affected Products
- NocoDB versions prior to 0.301.3
- NocoDB Rich Text cell functionality
- NocoDB API endpoints handling Rich Text content
Discovery Timeline
- 2026-03-02 - CVE CVE-2026-28359 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-28359
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The core issue stems from insufficient input validation when processing Rich Text content submitted directly through the API, bypassing the client-side TipTap editor's sanitization mechanisms.
NocoDB implements Rich Text editing capabilities using the TipTap editor, which typically sanitizes HTML content on the client side before submission. However, the server-side API endpoints fail to perform equivalent validation, creating a security gap that attackers can exploit by crafting direct API requests containing malicious HTML payloads.
Root Cause
The vulnerability exists because of a trust boundary violation where server-side input validation assumes content has been sanitized by the client-side TipTap editor. When attackers bypass the frontend editor and submit raw HTML directly to the API, the server accepts and stores the malicious content without proper sanitization. This stored HTML is then rendered when other users view the affected Rich Text cells, executing the injected code in their browser context.
Attack Vector
The attack requires network access and an authenticated session with Editor role privileges. An attacker can exploit this vulnerability by:
- Authenticating to NocoDB with an Editor role account
- Identifying API endpoints that handle Rich Text cell updates
- Crafting HTTP requests containing malicious HTML payloads
- Sending these requests directly to the API, bypassing the TipTap editor
- Waiting for other users to view the affected cells, triggering script execution
The vulnerability manifests when raw HTML is submitted via the API to Rich Text cell endpoints. Attackers can inject script tags, event handlers, or other malicious HTML constructs that execute when rendered. For technical implementation details, refer to the GitHub Security Advisory GHSA-qxwq-q265-hc44.
Detection Methods for CVE-2026-28359
Indicators of Compromise
- Unusual HTML tags or JavaScript code within Rich Text cell content in the database
- API requests to Rich Text endpoints containing script tags, event handlers, or iframe elements
- User reports of unexpected browser behavior or redirects when viewing specific cells
- Authentication tokens or session data being transmitted to external domains
Detection Strategies
- Monitor API logs for Rich Text cell update requests containing HTML script tags or event handlers
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Deploy Web Application Firewall (WAF) rules to inspect API request bodies for XSS payloads
- Audit database content for stored HTML injection patterns in Rich Text fields
Monitoring Recommendations
- Enable detailed logging for all Rich Text API endpoints and review for suspicious patterns
- Configure browser-based XSS detection headers and monitor for violations
- Implement real-time alerting for API requests matching known XSS payload signatures
- Conduct periodic database scans to identify potentially malicious HTML content in Rich Text cells
How to Mitigate CVE-2026-28359
Immediate Actions Required
- Upgrade NocoDB to version 0.301.3 or later immediately
- Review existing Rich Text cell content in the database for malicious HTML injections
- Temporarily restrict Editor role access if immediate patching is not possible
- Implement additional input validation at the network perimeter using WAF rules
Patch Information
NocoDB has addressed this vulnerability in version 0.301.3. The patch implements proper server-side HTML sanitization for Rich Text content, ensuring that malicious HTML is stripped regardless of whether content is submitted through the TipTap editor or directly via the API. Organizations should upgrade to version 0.301.3 or later to remediate this vulnerability.
For detailed release information, see NocoDB Release 0.301.3.
Workarounds
- Deploy a Web Application Firewall (WAF) with rules to filter HTML and JavaScript in API request bodies
- Implement Content Security Policy headers to prevent inline script execution
- Restrict Editor role assignments to trusted users only until patching is complete
- Consider disabling Rich Text cell functionality temporarily if the risk is unacceptable
# Example Content Security Policy header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
