Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table - including columns the view owner had hidden.
Details
publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. All three handlers now also fetch the shared view's column entries and reject the request unless the matching entry has show=true. The four public relation routes covered by the fix are:
GET /api/v2/public/shared-view/:uuid/rows/:rowId/mm/:columnId(many-to-many)GET /api/v2/public/shared-view/:uuid/rows/:rowId/hm/:columnId(has-many)GET /api/v2/public/shared-view/:uuid/rows/:rowId/{ln,om}/:columnId
(links / one-to-many - both share the many-to-many handler)
GET /api/v2/public/shared-view/:uuid/nested/:columnId(form/gallery
picker)
Impact
Anyone holding a share UUID could enumerate the full set of linked records for any hidden LTAR column on the view's table by calling the relation endpoint directly, even when the same column was correctly omitted from the public /rows response.
Credit
This issue was reported by @leduckhuong.
AnalysisAI
Hidden LTAR column exposure in NocoDB's public shared-view API allows anyone holding a valid share UUID to read linked records from columns the view owner explicitly hid. The handlers publicMmList, publicHmList, and relDataList enforced column-to-view-model membership but omitted a check on the per-column show flag, creating a gap between the public /rows response (which correctly omits hidden columns) and the relation sub-endpoints (which did not). All nocodb npm package versions up to and including 2026.05.0 are affected; a vendor-released patch is available in 2026.05.1. No public exploit code or CISA KEV listing is identified at time of analysis.
Technical ContextAI
NocoDB is an open-source no-code database platform distributed as the npm package pkg:npm/nocodb. Its shared-view feature generates a UUID-based public URL that exposes a view of a table with configurable column visibility. The platform supports LTAR (Linked To Another Record) relationship column types - many-to-many, has-many, links, and one-to-many - each served by dedicated relation sub-endpoints under /api/v2/public/shared-view/:uuid/. The root cause is CWE-284 (Improper Access Control): the server-side handlers validated that a caller-supplied columnId belonged to the view's underlying table model but did not also verify the corresponding view-column entry's show flag. Because column visibility is stored separately in view-column join records rather than on the column definition itself, the authorization check was structurally incomplete. The fix requires fetching view-column entries at request time and gating access on show=true for the requested column.
RemediationAI
Upgrade nocodb to version 2026.05.1 or later, which is the vendor-released patch confirmed by the GitHub advisory and release notes at https://github.com/nocodb/nocodb/releases/tag/2026.05.1. The fix adds show flag validation to publicMmList, publicHmList, and relDataList handlers so that relation sub-endpoints reject requests for hidden columns. If immediate upgrade is not possible, the most actionable compensating control is to revoke and regenerate shared view UUIDs for any views that contain hidden LTAR columns, since UUID possession is the sole prerequisite for exploitation; note this will invalidate existing share links for legitimate users. Alternatively, temporarily removing LTAR columns from shared views entirely eliminates the attack surface without revoking UUIDs, at the cost of losing relation data visibility for legitimate viewers. Do not rely solely on restricting the /rows endpoint response, as the relation sub-endpoints bypass that filtering.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38620
GHSA-9wgh-m22w-9xj8