CVE Catalog

CVE-2026-46552

MediumCVSS 5.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile — higher than 21% of all known CVEs

Summary

NocoDB prior to version 2026.04.1 had a vulnerability that allowed attackers to access database members through the shared-base session UUID. Attackers could invite arbitrary email addresses as real members of the base, leading to unauthorized access.

Risk Assessment

Organizations may be exposed to unauthorized data access, potentially leading to information leaks and violations of user privacy.

Recommendation

It is recommended to update NocoDB to version 2026.04.1 to mitigate this vulnerability and review the access policy for shared sessions.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS