Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Summary
Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link.
Details
Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers.
The end-to-end chain:
GET /api/v2/meta/bases/:baseId/usersreturned the member list to shared-base callers (@Acl('baseUserList')).POST /api/v2/meta/bases/:baseId/usersaccepted an invite from shared-base callers (@Acl('userInvite'));base-users.service.tsinserted a realnc_users_v2row withinvite_tokenand anc_base_users_v2row for the target base, withinvited_by = null.- The invited account redeemed the invite through the normal signup path (
users.service.ts), gaining a persistent JWT scoped to the base. - Revoking the shared link did not affect the redeemed account.
Impact
- Confidentiality: shared-base link exposes member email addresses.
- Integrity: shared-base link can mutate base ACL state by creating new members.
- Persistence: link-based access converts into durable authenticated access that survives revocation of the share.
Credit
This issue was reported by @0xmrma.
AnalysisAI
Improper authorization in NocoDB (npm/nocodb ≤ 0.301.3) allows unauthenticated network attackers holding only a shared-base UUID to enumerate base members and inject arbitrary email addresses as permanent authenticated base members. The invited account redeems the invite through the normal signup flow, obtains a persistent JWT scoped to the target base, and retains that access even after the base owner revokes the shared link - effectively converting ephemeral anonymous share access into durable authenticated membership. No public exploit code has been identified and there is no CISA KEV listing at time of analysis, but the absence of a released patch and the trivial exploitation prerequisites materially elevate operational risk beyond what the CVSS 5.8 score alone implies.
Technical ContextAI
The root cause is CWE-285 (Improper Authorization). NocoDB supports shared-base links authenticated via the xc-shared-base-id HTTP header rather than a user JWT. The strategy file packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts maps all shared-base sessions to the internal role ProjectRoles.VIEWER. Critically, the ACL configuration in packages/nocodb/src/utils/acl.ts grants the baseUserList and userInvite permission scopes to that VIEWER role without differentiating between a session backed by a real authenticated user JWT and one backed solely by a public share UUID. When the POST /api/v2/meta/bases/:baseId/users endpoint processes an invite from a shared-base caller, base-users.service.ts inserts a real row into nc_users_v2 with an invite_token and a corresponding nc_base_users_v2 row with invited_by = null, which serves as a forensic indicator. The redemption path in users.service.ts issues a full-scoped JWT without validating the provenance of the invite, and link revocation operates only on the share record - not on accounts already converted. The CVSS Scope: Changed rating (S:C) correctly reflects that exploitation crosses from the unauthenticated shared-link context into the authenticated membership domain. Affected package is pkg:npm/nocodb versions up to and including 0.301.3.
RemediationAI
No vendor-released patch has been identified for nocodb ≤ 0.301.3 at time of analysis per the GHSA advisory (https://github.com/nocodb/nocodb/security/advisories/GHSA-chqv-vrj7-qffp); monitor the NocoDB GitHub repository and advisory for a fix release. As compensating controls: disable the shared-base link feature entirely for all bases that do not strictly require it, removing the attack vector at the cost of eliminating collaborative sharing functionality. Audit nc_base_users_v2 and nc_users_v2 for rows where invited_by = null - these are forensic indicators of potential exploitation and any unauthorized accounts should be removed immediately, as link revocation alone will not evict them. Restrict network access to the NocoDB API paths /api/v2/meta/bases/*/users via a reverse proxy or firewall to trusted IP ranges, accepting the trade-off of potentially breaking legitimate administrator workflows. For operators with access to the source, the targeted code fix is to modify packages/nocodb/src/utils/acl.ts to remove baseUserList and userInvite grants from ProjectRoles.VIEWER when the session context originates from a shared-base header rather than a genuine JWT - this requires a custom patch until an official release is available.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38584
GHSA-chqv-vrj7-qffp