CVE Catalog

CVE-2026-47380

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

NocoDB prior to version 2026.04.1 had an issue with differing sign-in response times based on whether the email address was known or unknown. The unknown-user branch returned without performing a password hash comparison, creating a security vulnerability.

Risk Assessment

This vulnerability could lead to brute force attacks, allowing potential attackers to more easily guess passwords for known accounts.

Recommendation

It is recommended to update NocoDB to version 2026.04.1 or later to mitigate this security issue.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS