CVE-2026-24766
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS
Description
### Summary An authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. ### Details The `deepMerge()` function in `packages/nocodb/src/utils/dataUtils.ts` does not sanitize the following keys: (`__proto__`, `constructor`, `prototype`): ```typescript export const deepMerge = (target: any, ...sources: any[]) => { // ... Object.keys(source).forEach((key) => { if (isMergeableObject(source[key])) { if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {}; deepMerge(target[key], source[key]); // Recursively merges __proto__ } else { target[key] = source[key]; } }); // ... }; ``` The `testConnection` endpoint (`packages/nocodb/src/controllers/utils.controller.ts`) passes user-controlled input directly to `deepMerge()`: ```typescript config = await integration.getConfig(); deepMerge(config, body); ``` When an attacker sends `{"__proto__": {"super": true}}`, the `super` property is written to `Object.prototype`, affecting all plain objects in the Node.js process. ## Impact Pollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.
How to fix CVE-2026-24766
To remediate CVE-2026-24766, upgrade the affected package to a fixed version below.
- —upgrade to 0.301.0 or later
Is CVE-2026-24766 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.301.0