CVE-2026-24766

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.0

Description An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint. This causes all database write operations to fail application-wide until server restart. The issue stems from the deepMerge() function in packages/nocodb/src/utils/dataUtils.ts, which does not sanitize keys like proto, constructor, and prototype. The testConnection endpoint in packages/nocodb/src/controllers/utils.controller.ts passes user-controlled input directly to deepMerge(). Sending a payload like {" proto ": {"super": true}} writes the super property to Object.prototype, impacting all plain objects in the Node.js process. The vulnerable function is deepMerge(). The vulnerable parameter is body.

Recommendations Versions prior to 0.301.0 should be updated to version 0.301.0 or later.