CVE Catalog

CVE-2026-46549

LowCVSS 2.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

In NocoDB prior to version 2026.04.1, an OAuth token with a restricted scope (e.g., MCP-only) inherited full user permissions across all routes. The granted_resources.base_id restriction was bypassed on org-level endpoints that do not populate req.context.base_id.

Risk Assessment

An attacker with a narrowly scoped OAuth token can gain unauthorized access to all organization resources and functions, leading to data leakage or unauthorized actions.

Recommendation

Immediately update NocoDB to version 2026.04.1 or later, which contains a fix for this vulnerability.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS