What is GHSA-wvqj-9wv4-7ff5?

GHSA-wvqj-9wv4-7ff5 is a security advisory published by GitHub Security Advisories with Medium severity. NocoDB: Path Traversal via SQLite Source Filename

Which CVE IDs does GHSA-wvqj-9wv4-7ff5 cover?

GHSA-wvqj-9wv4-7ff5 covers the following CVE IDs: CVE-2026-47385. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-wvqj-9wv4-7ff5?

GHSA-wvqj-9wv4-7ff5 affects 1 product, including: npm/nocodb:\u003c= 2026.05.0.

GHSA-wvqj-9wv4-7ff5Medium

NocoDB: Path Traversal via SQLite Source Filename

Vendor

GitHub Security Advisories

Published

June 5, 2026

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2026-47385 →

📋 Description

Summary

An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases.

Details

The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.

Impact

Disclosure and modification of NocoDB internal state, of other tenants' databases, and of any file the NocoDB process can read or write. Authentication and base-create permission are required.

NocoDB: Path Traversal via SQLite Source Filename

🔗 CVE IDs covered (1)

📋 Description

Summary

Details

Impact

Credit

🎯 Affected products1

🔗 References (3)