Skip to main content

NocoDB CVE-2026-47381

| EUVDEUVD-2026-38618 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-06-05 https://github.com/nocodb/nocodb GHSA-96fh-m4r8-6v9v
6.9
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 21:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 05, 2026 - 16:39 vuln.today
Analysis Generated
Jun 05, 2026 - 16:39 vuln.today

DescriptionCVE.org

Summary

A user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace.

Details

The connection-test endpoint fetched the integration in RootScopes.BYPASS scope and checked only that the integration was non-private and that the caller held an owner/creator role on any base in any workspace. The permission lookup is now scoped to the integration's workspace by joining on fk_workspace_id, and the controller rejects requests where the integration's workspace differs from the request's workspace.

Impact

Cross-tenant access to integration configuration through the connection-test endpoint, including the ability to drive the resolved database with the other workspace's credentials. Authentication with creator-or-owner role on any base in any workspace was sufficient.

Credit

This issue was reported by @DongyangLyu.

AnalysisAI

Cross-workspace tenant isolation bypass in NocoDB exposes database integration credentials across organizational boundaries via the testConnection endpoint. Any authenticated user holding a creator or owner role on any base in any workspace can supply a foreign workspace's integration ID to invoke its connection test, gaining access to that workspace's stored database credentials and the ability to drive its underlying database. No public exploit code is identified at time of analysis, but vendor-released patch 2026.05.1 is available and resolves the issue.

Technical ContextAI

NocoDB (pkg:npm/nocodb) is an open-source Airtable alternative supporting workspace-scoped database integrations, where each workspace can define credentials for external databases. The testConnection API endpoint is intended to verify database connectivity using those stored credentials. The root cause, classified under CWE-290 (Authentication Bypass by Spoofing), is that the endpoint fetched integration records using an internal RootScopes.BYPASS scope that circumvents standard workspace-bound authorization, then validated only that the caller held an owner/creator role on any base in any workspace - not necessarily one associated with the target integration. This broken object-level authorization allowed a user's role in workspace A to be incorrectly treated as sufficient authority over workspace B's resources. The fix scopes the database query by joining on fk_workspace_id to tie the integration lookup to the requesting workspace, and adds a controller-level assertion that rejects requests where the integration's workspace ID does not match the request's workspace context.

RemediationAI

Vendor-released patch: 2026.05.1. Upgrade NocoDB to version 2026.05.1 or later, available at https://github.com/nocodb/nocodb/releases/tag/2026.05.1; this release resolves the issue by scoping integration lookups via fk_workspace_id and adding a controller-level workspace-match validation that rejects cross-workspace requests. If an immediate upgrade is not possible, operators of self-hosted deployments can restrict access to the testConnection endpoint at the reverse proxy or firewall layer, though this will disable legitimate connection testing for all users and may impact onboarding workflows. In strictly single-tenant self-hosted deployments where all workspace members belong to the same organization and mutual database access is acceptable, the practical risk is reduced - but upgrade remains the recommended resolution. No alternative documented workarounds are provided in the vendor advisory.

Share

CVE-2026-47381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy