CVE-2026-24768: NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter

January 28, 2026

An unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the continueAfterSignIn parameter.

During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination’s origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login.

References

github.com/advisories/GHSA-3hmw-8mw3-rmpj
github.com/nocodb/nocodb
github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj
nvd.nist.gov/vuln/detail/CVE-2026-24768

Code Behaviors & Features

Detect and mitigate CVE-2026-24768 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →