Primary

Context

NocoDB Prototype Pollution Vulnerability in Connection Test Endpoint Leading to Denial-of-Service

Vulnerability

Patched

A prototype pollution vulnerability has been identified in NocoDB versions prior to 0.301.0. This issue allows an authenticated user with org-level-creator permissions to exploit the '/api/v2/meta/connection/test' endpoint. The exploitation causes all database write operations to fail application-wide, creating a denial-of-service condition that persists until the server is restarted. Although the pollution bypasses SUPER_ADMIN authorization checks, it does not enable any practical privileged actions, as database operations fail immediately after the pollution occurs.

Impact

Exploitation of this vulnerability pollutes Object.prototype globally, disrupting all database write operations for every user until the Node.js process is restarted.

Remediation

Users can upgrade to NocoDB version 0.301.0 or later to address this vulnerability.

Added: Jan 28, 2026, 9:21 PM

Updated: Jan 28, 2026, 9:21 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NocoDB Prototype Pollution Vulnerability in Connection Test Endpoint Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

NocoDB

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating