CVE-2026-46549
LowCVSS 2.0Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
In NocoDB prior to version 2026.04.1, an OAuth token with a restricted scope (e.g., MCP-only) inherited full user permissions across all routes. The granted_resources.base_id restriction was bypassed on org-level endpoints that do not populate req.context.base_id.
Risk Assessment
An attacker with a narrowly scoped OAuth token can gain unauthorized access to all organization resources and functions, leading to data leakage or unauthorized actions.
Recommendation
Immediately update NocoDB to version 2026.04.1 or later, which contains a fix for this vulnerability.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.

