CVE-2026-53930

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1

Description The 'base-migration' endpoint accepts a caller-supplied URL that the migration worker dereferences without enforcing the protocol or destination. This allows for scheme abuse, such as using file: or ftp:, and the probing of internal HTTP destinations. Specifically, the body.migrationUrl variable in the 'migrate' endpoint lacked protocol validation, which could coerce the migration worker into reading local files or communicating with non-HTTP services. Access to this endpoint is restricted to the workspace owner role via Access Control List (ACL).

Recommendations Update to version 2026.05.1.