Skip to main content

NocoDB CVE-2026-47378

| EUVDEUVD-2026-38625 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-05 https://github.com/nocodb/nocodb GHSA-4w6r-5c2j-qf5f
6.9
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 21:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 05, 2026 - 16:40 vuln.today
Analysis Generated
Jun 05, 2026 - 16:40 vuln.today

DescriptionCVE.org

Summary

Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base.

Details

A new sanitizeListArgsForPublicView helper now strips request keys that should never be caller-controlled (e.g. getHiddenColumn, nested), parses where clauses against a restricted alias map that only contains visible columns, and recursively removes filter/sort entries whose fk_column_id is not in the visible set. validateGroupByColumnNames and validateGroupColumnId reject groupBy requests whose column_name (CSV-style) or groupColumnId is not in the visible or group-by column set. relDataList now checks column.fk_model_id === currentModel.id before resolving the linked table, matching the pre-existing check on publicMmList and publicHmList.

Impact

Anyone with a shared-view UUID could enumerate hidden-column values directly (via groupBy), confirm hidden-column values by observing row counts (via filter), or read records from unrelated tables in the same base (via the related-data list). No authentication was required.

Credit

This issue was reported by @0xBassia. It was independently reported by @b-hermes.

AnalysisAI

Hidden column exposure in NocoDB public shared-view endpoints allows unauthenticated attackers holding only a shared-view UUID to read data that view owners explicitly marked as hidden. Three independent bypass paths exist: groupBy parameters accept arbitrary column names and return raw cell values, filter and sort arrays accept hidden column IDs enabling boolean-blind row-count extraction, and the related-data list endpoint accepts link-column IDs from unrelated tables in the same base - leaking records beyond the intended view scope. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV, but the attack requires no credentials and targets a commonly shared URL, making any NocoDB deployment with public shared views and hidden sensitive columns an immediately addressable risk.

Technical ContextAI

NocoDB (pkg:npm/nocodb) is an open-source Airtable alternative that exposes database tables through a web UI and REST API. Its 'shared view' feature generates a publicly accessible UUID-based URL for read-only access to a configured view. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key): the server accepted caller-supplied column identifiers - via groupBy CSV strings, filter/sort fk_column_id fields, and relDataList link-column IDs - and resolved them directly against the underlying database model without first checking whether those columns were visible in the requesting view. The fix introduces a sanitizeListArgsForPublicView helper that strips privileged request keys (getHiddenColumn, nested), builds a restricted alias map containing only visible-column fields before parsing where clauses, and recursively prunes filter/sort entries whose fk_column_id falls outside the visible set. validateGroupByColumnNames and validateGroupColumnId enforce the same restriction for groupBy. relDataList now gates on column.fk_model_id === currentModel.id before resolving linked tables, closing the cross-table data path.

RemediationAI

Vendor-released patch: 2026.04.1. Upgrade the nocodb npm package to version 2026.04.1 or later; this version introduces the sanitizeListArgsForPublicView helper, groupBy column validators, and the relDataList model-ID check that collectively close all three disclosed bypass paths. Release notes are at https://github.com/nocodb/nocodb/releases/tag/2026.04.1 and the security advisory is at https://github.com/nocodb/nocodb/security/advisories/GHSA-4w6r-5c2j-qf5f. If immediate patching is not feasible, disable all public shared-view links for any view containing hidden columns with sensitive data - this eliminates the attack surface entirely because the vulnerability only manifests through shared-view UUID endpoints. Note that disabling existing shared links will break access for any legitimate consumers of those URLs and is a disruptive mitigation; patching is strongly preferred.

Share

CVE-2026-47378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy