Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
A user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace.
Details
The connection-test endpoint fetched the integration in RootScopes.BYPASS scope and checked only that the integration was non-private and that the caller held an owner/creator role on any base in any workspace. The permission lookup is now scoped to the integration's workspace by joining on fk_workspace_id, and the controller rejects requests where the integration's workspace differs from the request's workspace.
Impact
Cross-tenant access to integration configuration through the connection-test endpoint, including the ability to drive the resolved database with the other workspace's credentials. Authentication with creator-or-owner role on any base in any workspace was sufficient.
Credit
This issue was reported by @DongyangLyu.
AnalysisAI
Cross-workspace tenant isolation bypass in NocoDB exposes database integration credentials across organizational boundaries via the testConnection endpoint. Any authenticated user holding a creator or owner role on any base in any workspace can supply a foreign workspace's integration ID to invoke its connection test, gaining access to that workspace's stored database credentials and the ability to drive its underlying database. No public exploit code is identified at time of analysis, but vendor-released patch 2026.05.1 is available and resolves the issue.
Technical ContextAI
NocoDB (pkg:npm/nocodb) is an open-source Airtable alternative supporting workspace-scoped database integrations, where each workspace can define credentials for external databases. The testConnection API endpoint is intended to verify database connectivity using those stored credentials. The root cause, classified under CWE-290 (Authentication Bypass by Spoofing), is that the endpoint fetched integration records using an internal RootScopes.BYPASS scope that circumvents standard workspace-bound authorization, then validated only that the caller held an owner/creator role on any base in any workspace - not necessarily one associated with the target integration. This broken object-level authorization allowed a user's role in workspace A to be incorrectly treated as sufficient authority over workspace B's resources. The fix scopes the database query by joining on fk_workspace_id to tie the integration lookup to the requesting workspace, and adds a controller-level assertion that rejects requests where the integration's workspace ID does not match the request's workspace context.
RemediationAI
Vendor-released patch: 2026.05.1. Upgrade NocoDB to version 2026.05.1 or later, available at https://github.com/nocodb/nocodb/releases/tag/2026.05.1; this release resolves the issue by scoping integration lookups via fk_workspace_id and adding a controller-level workspace-match validation that rejects cross-workspace requests. If an immediate upgrade is not possible, operators of self-hosted deployments can restrict access to the testConnection endpoint at the reverse proxy or firewall layer, though this will disable legitimate connection testing for all users and may impact onboarding workflows. In strictly single-tenant self-hosted deployments where all workspace members belong to the same organization and mutual database access is acceptable, the practical risk is reduced - but upgrade remains the recommended resolution. No alternative documented workarounds are provided in the vendor advisory.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38618
GHSA-96fh-m4r8-6v9v