Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remotely reachable low-complexity API with only an authenticated low-privileged account (PR:L) and no interaction; missing authz yields high read/write/delete impact across data (C/I/A:H), scope unchanged.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.
AnalysisAI
Broken access control in Teable's v2 REST API lets any authenticated user bypass authorization and act across bases and tables they should not reach. Because the ORPC controller endpoints (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated Teable account (CVSS PR:L) and network reachability to the application's v2 REST API; it is not exploitable by fully anonymous/unauthenticated users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a genuine priority for any multi-tenant or shared Teable deployment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privileged Teable account on a shared instance, then calls v2 API endpoints such as GET /api/v2/tables/get to enumerate the schemas of bases they were never granted access to, and POST /api/v2/tables/updateRecords to alter or wipe records in those tables. Because the endpoints lack permission checks, the requests succeed over the network with no user interaction; no public POC was provided, but the attack is straightforward to reproduce given the documented endpoint names. |
| Remediation | Upgrade Teable to the patched build release.2026-06-15T04-43-24Z.1912 (https://github.com/teableio/teable/releases/tag/release.2026-06-15T04-43-24Z.1912), which incorporates the authorization fix from PR #3285 (https://github.com/teableio/teable/pull/3285); note the release notes themselves describe only feature/bugfix changes and do not call out the security fix, so verify the deployed image actually contains PR #3285. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Teable v2 instances in production and audit which users have authenticated API access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39774
GHSA-325v-m87x-26cp