CVE-2026-47377
NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
Description
### Summary The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as `https://nocodb.example/#//attacker.com/phishing` silently redirected visitors to an attacker-controlled origin. ### Details In `packages/nc-gui/plugins/hashRedirect.client.ts`, the plugin extracted the hash content and normalised it into `cleanUrl`: ```ts let cleanUrl = hashPath.startsWith('/') ? hashPath : `/${hashPath}` if (hashQuery) cleanUrl += `?${hashQuery}` window.location.replace(cleanUrl) ``` `startsWith('/')` returns true for `//attacker.com/...`, which browsers interpret as a protocol-relative absolute URL. No hostname check was performed before the redirect. The fix adds an early `if (/^\/[/\\]/.test(hashPath)) return` to reject protocol-relative paths. ### Impact - Open redirect from any NocoDB origin to an attacker-controlled domain. - No authentication required; the attack lands the victim on an attacker-controlled page that may impersonate a NocoDB login. ### Credit This issue was reported by [@fg0x0](https://github.com/fg0x0).
How to fix CVE-2026-47377
To remediate CVE-2026-47377, upgrade the affected package to a fixed version below.
- —upgrade to 2026.04.1 or later
Is CVE-2026-47377 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47377.
Affected packages (1)
- from 0, < 2026.04.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |