CVE-2026-24766: NocoDB Prototype Pollution: Crashing the Database Party with One JSON Key

NocoDB Prototype Pollution: Crashing the Database Party with One JSON Key

Vulnerability ID: CVE-2026-24766
CVSS Score: 4.9
Published: 2026-01-28

A classic Prototype Pollution vulnerability exists in NocoDB's connection testing endpoint. By supplying a crafted JSON payload containing the __proto__ key, authenticated attackers can poison the global Object prototype. This typically results in a catastrophic application-wide Denial of Service (DoS) as core database drivers choke on the unexpected properties, turning this 'database-as-spreadsheet' tool into a 'server-as-paperweight'.

TL;DR

NocoDB versions < 0.301.0 allow authenticated users (Org Creators) to trigger Prototype Pollution via the connection test API. This corrupts the global Object prototype, causing the underlying Knex.js database driver to fail, effectively crashing the entire instance until a restart.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-1321
• Attack Vector: Network (API)
• CVSS: 4.9 (Medium)
• Impact: Denial of Service (DoS)
• Privileges: High (Org Creator)
• Fix Version: 0.301.0

Affected Systems

• NocoDB Server
• NocoDB: < 0.301.0 (Fixed in: 0.301.0)

Exploit Details

• GitHub Security Advisory: Advisory containing the attack vector analysis and payload structure.

Mitigation Strategies

• Input Sanitization
• Use Safe Libraries
• Freeze Prototypes

Remediation Steps:

1. Upgrade NocoDB to version 0.301.0 or later immediately.
2. Audit any custom plugins or server extensions that might rely on the legacy deepMerge utility.
3. Restart the NocoDB service to clear any potential memory corruption if an attack was suspected.

References

• GHSA-95ff-46g6-6gw9
• NVD - CVE-2026-24766

---

Read the full report for CVE-2026-24766 on our website for more details including interactive diagrams and full exploit analysis.