CVE-2026-28401: NocoDB Stored XSS Vulnerability

CVE-2026-28401 Overview

NocoDB is an open-source software solution for building databases as spreadsheets. Prior to version 0.301.3, the application contains a stored Cross-Site Scripting (XSS) vulnerability in the rich text cell rendering functionality. The vulnerability exists because rich text cell content is rendered using v-html without proper sanitization, allowing attackers to inject and execute malicious scripts in the context of other users' browsers.

Critical Impact

Attackers can inject persistent malicious scripts into rich text cells that execute when other users view the affected content, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.

Affected Products

• NocoDB versions prior to 0.301.3
• NocoDB instances with rich text cell functionality enabled
• Self-hosted and cloud deployments running vulnerable versions

Discovery Timeline

• 2026-03-02 - CVE CVE-2026-28401 published to NVD
• 2026-03-03 - Last updated in NVD database

Technical Details for CVE-2026-28401

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw resides in NocoDB's handling of rich text cell content within the Vue.js frontend framework.

When users create or edit rich text cells in NocoDB spreadsheets, the content is stored and subsequently rendered using Vue's v-html directive. This directive bypasses Vue's built-in escaping mechanisms and renders raw HTML directly into the DOM. Without proper sanitization of user-supplied content before rendering, attackers can craft malicious payloads containing JavaScript code that will execute in the browsers of any user who views the affected cell.

The stored nature of this XSS vulnerability makes it particularly dangerous, as the malicious payload persists in the database and affects all users who access the compromised spreadsheet or database view.

Root Cause

The root cause of this vulnerability is the use of Vue.js v-html directive to render user-controlled rich text content without implementing proper HTML sanitization. The v-html directive is explicitly documented by Vue.js as dangerous when used with untrusted content, as it does not perform any encoding or filtering of the input string.

The application failed to implement a sanitization layer (such as DOMPurify or similar libraries) to strip potentially dangerous HTML elements and JavaScript event handlers before rendering the rich text content.

Attack Vector

The attack can be performed over the network by any user with permissions to create or edit rich text cells in a NocoDB database. The attacker crafts a rich text cell containing malicious HTML and JavaScript code. When other users view the spreadsheet containing the malicious cell, the injected script executes in their browser context.

Common attack payloads include script tags, event handlers (such as onerror, onload, onmouseover), and JavaScript URIs that can steal session cookies, redirect users to phishing pages, modify page content, or perform actions on behalf of the victim user.

Detection Methods for CVE-2026-28401

Indicators of Compromise

• Unusual JavaScript payloads detected in rich text cell content within NocoDB databases
• Database records containing HTML script tags, event handlers, or javascript: URIs in text fields
• Client-side errors or unexpected script execution reported by users when viewing spreadsheets
• Unexplained session activity or unauthorized actions traced back to XSS-based session hijacking

Detection Strategies

• Implement Content Security Policy (CSP) headers to detect and block inline script execution
• Monitor application logs for suspicious content being saved to rich text fields
• Deploy web application firewall (WAF) rules to identify XSS payload patterns in HTTP requests
• Review database content for common XSS attack signatures and encoded JavaScript payloads

Monitoring Recommendations

• Enable browser console logging to capture blocked script execution attempts
• Configure alerting for Content Security Policy violations reported back to your security monitoring infrastructure
• Audit user activity logs for patterns indicating exploitation attempts or suspicious cell editing behavior
• Implement integrity monitoring for critical NocoDB configuration and frontend assets

How to Mitigate CVE-2026-28401

Immediate Actions Required

• Upgrade NocoDB to version 0.301.3 or later immediately
• Review existing rich text cell content in databases for potentially malicious payloads
• Implement Content Security Policy headers to provide defense-in-depth against XSS attacks
• Consider temporarily restricting rich text cell creation permissions until the patch is applied

Patch Information

NocoDB has released version 0.301.3 which addresses this vulnerability by implementing proper sanitization of rich text cell content before rendering. The patch is available through the official NocoDB Release 0.301.3. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-wwp2-x4rj-j8rm.

Workarounds

• Deploy a reverse proxy or WAF with XSS filtering rules in front of NocoDB instances
• Implement strict Content Security Policy headers that block inline scripts and unsafe-inline sources
• Restrict user permissions to limit who can create or edit rich text cells until patching is complete
• Audit and sanitize existing database content using server-side scripts to remove potentially malicious HTML

# Example Content Security Policy configuration for nginx
# Add to your nginx server configuration block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'self';" always;