CVE-2026-47279
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 had a vulnerability that allowed access to hidden columns in shared views. Public relation endpoints accepted a caller-supplied column ID without verifying if the column was visible in the shared view.
Risk Assessment
Organizations could be exposed to unauthorized data access, potentially leading to the disclosure of sensitive information. Users holding a share UUID could read data from hidden columns.
Recommendation
It is recommended to update NocoDB to version 2026.05.1 to mitigate this vulnerability. Additionally, conduct an audit of data access in shared views.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. This vulnerability is fixed in 2026.05.1.

