What is the severity of CVE-2026-24766?

CVE-2026-24766 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-24766?

No known public exploits are currently available for CVE-2026-24766.

Is there a patch available for CVE-2026-24766?

Yes, patches are available for CVE-2026-24766. Check the vendor advisories for update instructions.

CVE-2026-24766 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-24766?

### Summary An authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. ### Details The `deepMerge()` function in `packages/nocodb/src/utils/dataUtils.ts` does not sanitize the following keys: (`__proto__`, `constructor`, `prototype`): ```typescript export const deepMerge = (target: any, ...sources: any[]) => { // ... Object.keys(source).forEach((key) => { if (isMergeableObject(source[key])) { if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {}; deepMerge(target[key], source[key]); // Recursively merges __proto__ } else { target[key] = source[key]; } }); // ... }; ``` The `testConnection` endpoint (`packages/nocodb/src/controllers/utils.controller.ts`) passes user-controlled input directly to `deepMerge()`: ```typescript config = await integration.getConfig(); deepMerge(config, body); ``` When an attacker sends `{"__proto__": {"super": true}}`, the `super` property is written to `Object.prototype`, affecting all plain objects in the Node.js process. ## Impact Pollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart.

While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.

Details

The deepMerge() function in packages/nocodb/src/utils/dataUtils.ts does not sanitize the following keys: (__proto__, constructor, prototype):

export const deepMerge = (target: any, ...sources: any[]) => {
  // ...
  Object.keys(source).forEach((key) => {
    if (isMergeableObject(source[key])) {
      if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};
      deepMerge(target[key], source[key]);  // Recursively merges __proto__
    } else {
      target[key] = source[key];
    }
  });
  // ...
};

The testConnection endpoint (packages/nocodb/src/controllers/utils.controller.ts) passes user-controlled input directly to deepMerge():

config = await integration.getConfig();
deepMerge(config, body);

When an attacker sends {"__proto__": {"super": true}}, the super property is written to Object.prototype, affecting all plain objects in the Node.js process.

Impact

Pollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com