Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
The shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing.
Details
The bcrypt branch (hashes starting with $2a$/$2b$) was unaffected. The legacy fallback in View.ts now uses crypto.timingSafeEqual and a same-length dummy compare on the length-mismatch path, so total comparison time is approximately length-independent. The EE dashboard model's verifyPassword is patched the same way.
Impact
A network-positioned attacker could mount a timing oracle against shared views whose passwords predated the bcrypt migration. Exploitation requires the ability to time shared-view authentication responses but no prior authentication.
Credit
This issue was reported by @Proscan-one.
AnalysisAI
Timing oracle in NocoDB's shared-view password authentication allows a network-positioned attacker to recover legacy plaintext passwords character-by-character through response time measurement. Affected installations are those where shared-view passwords were set before the bcrypt migration - passwords stored as bcrypt hashes (prefixed $2a$/$2b$) were never vulnerable. The strict-equality (===) JavaScript comparison leaked both password length and per-character prefix timing, enabling incremental brute-force without any prior authentication. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
NocoDB is an open-source, no-code database platform distributed as an npm package (pkg:npm/nocodb). The vulnerable code path resided in View.ts, which handled password verification for shared views - a feature allowing access-controlled table/view sharing via URL. Legacy plaintext passwords (predating the platform's migration to bcrypt) were compared using JavaScript's = strict-equality operator rather than a constant-time comparison primitive. This is a classic CWE-200 (Exposure of Sensitive Information) instance manifesting as a timing side-channel: = short-circuits on the first mismatched character, making response latency a function of how many leading characters match. The length mismatch path also leaked information because no dummy comparison was performed when string lengths differed. The EE dashboard model's verifyPassword method contained the same flaw. The fix introduces crypto.timingSafeEqual (Node.js's constant-time buffer comparison) alongside a same-length dummy comparison on the length-mismatch path, making total comparison time approximately length-independent.
RemediationAI
Upgrade NocoDB to version 2026.05.1, which is the vendor-released patch that replaces the strict-equality comparison with crypto.timingSafeEqual and adds a same-length dummy comparison on the length-mismatch code path. The release is available at https://github.com/nocodb/nocodb/releases/tag/2026.05.1. For installations that cannot immediately upgrade, a targeted workaround is to reset all shared-view passwords, which will cause NocoDB to store new passwords using the bcrypt path - making them immune to this timing vulnerability even on the unpatched version. This workaround requires identifying and rotating all affected shared views, which may disrupt active shared-view users who will need to be re-issued access credentials. There are no known side effects to the patch itself. No further configuration changes are required post-upgrade.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38619
GHSA-qhxg-623c-cfjm