CVE-2026-47380
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
NocoDB prior to version 2026.04.1 had an issue with differing sign-in response times based on whether the email address was known or unknown. The unknown-user branch returned without performing a password hash comparison, creating a security vulnerability.
Risk Assessment
This vulnerability could lead to brute force attacks, allowing potential attackers to more easily guess passwords for known accounts.
Recommendation
It is recommended to update NocoDB to version 2026.04.1 or later to mitigate this security issue.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.

