Skip to main content

NocoDB EUVDEUVD-2026-38584

| CVE-2026-46552 MEDIUM
Improper Authorization (CWE-285)
2026-05-21 https://github.com/nocodb/nocodb GHSA-chqv-vrj7-qffp
5.8
CVSS 3.1 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 23:02 EUVD
Source Code Evidence Fetched
May 21, 2026 - 21:37 vuln.today
Analysis Generated
May 21, 2026 - 21:37 vuln.today

DescriptionCVE.org

Summary

Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link.

Details

Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers.

The end-to-end chain:

  • GET /api/v2/meta/bases/:baseId/users returned the member list to shared-base callers (@Acl('baseUserList')).
  • POST /api/v2/meta/bases/:baseId/users accepted an invite from shared-base callers (@Acl('userInvite')); base-users.service.ts inserted a real nc_users_v2 row with invite_token and a nc_base_users_v2 row for the target base, with invited_by = null.
  • The invited account redeemed the invite through the normal signup path (users.service.ts), gaining a persistent JWT scoped to the base.
  • Revoking the shared link did not affect the redeemed account.

Impact

  • Confidentiality: shared-base link exposes member email addresses.
  • Integrity: shared-base link can mutate base ACL state by creating new members.
  • Persistence: link-based access converts into durable authenticated access that survives revocation of the share.

Credit

This issue was reported by @0xmrma.

AnalysisAI

Improper authorization in NocoDB (npm/nocodb ≤ 0.301.3) allows unauthenticated network attackers holding only a shared-base UUID to enumerate base members and inject arbitrary email addresses as permanent authenticated base members. The invited account redeems the invite through the normal signup flow, obtains a persistent JWT scoped to the target base, and retains that access even after the base owner revokes the shared link - effectively converting ephemeral anonymous share access into durable authenticated membership. No public exploit code has been identified and there is no CISA KEV listing at time of analysis, but the absence of a released patch and the trivial exploitation prerequisites materially elevate operational risk beyond what the CVSS 5.8 score alone implies.

Technical ContextAI

The root cause is CWE-285 (Improper Authorization). NocoDB supports shared-base links authenticated via the xc-shared-base-id HTTP header rather than a user JWT. The strategy file packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts maps all shared-base sessions to the internal role ProjectRoles.VIEWER. Critically, the ACL configuration in packages/nocodb/src/utils/acl.ts grants the baseUserList and userInvite permission scopes to that VIEWER role without differentiating between a session backed by a real authenticated user JWT and one backed solely by a public share UUID. When the POST /api/v2/meta/bases/:baseId/users endpoint processes an invite from a shared-base caller, base-users.service.ts inserts a real row into nc_users_v2 with an invite_token and a corresponding nc_base_users_v2 row with invited_by = null, which serves as a forensic indicator. The redemption path in users.service.ts issues a full-scoped JWT without validating the provenance of the invite, and link revocation operates only on the share record - not on accounts already converted. The CVSS Scope: Changed rating (S:C) correctly reflects that exploitation crosses from the unauthenticated shared-link context into the authenticated membership domain. Affected package is pkg:npm/nocodb versions up to and including 0.301.3.

RemediationAI

No vendor-released patch has been identified for nocodb ≤ 0.301.3 at time of analysis per the GHSA advisory (https://github.com/nocodb/nocodb/security/advisories/GHSA-chqv-vrj7-qffp); monitor the NocoDB GitHub repository and advisory for a fix release. As compensating controls: disable the shared-base link feature entirely for all bases that do not strictly require it, removing the attack vector at the cost of eliminating collaborative sharing functionality. Audit nc_base_users_v2 and nc_users_v2 for rows where invited_by = null - these are forensic indicators of potential exploitation and any unauthorized accounts should be removed immediately, as link revocation alone will not evict them. Restrict network access to the NocoDB API paths /api/v2/meta/bases/*/users via a reverse proxy or firewall to trusted IP ranges, accepting the trade-off of potentially breaking legitimate administrator workflows. For operators with access to the source, the targeted code fix is to modify packages/nocodb/src/utils/acl.ts to remove baseUserList and userInvite grants from ProjectRoles.VIEWER when the session context originates from a shared-base header rather than a genuine JWT - this requires a custom patch until an official release is available.

Share

EUVD-2026-38584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy