CVE-2026-47381
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk23th percentile — higher than 23% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 allowed users in one workspace to access another workspace's integration through the testConnection endpoint by supplying its ID. The issue stemmed from improper permission checks, enabling unauthorized access.
Risk Assessment
Organizations may be exposed to unauthorized access to data and integrations across different workspaces, potentially leading to data leaks or unauthorized operations.
Recommendation
It is recommended to upgrade NocoDB to version 2026.05.1 or later to mitigate this vulnerability and secure access to integrations in workspaces.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. This vulnerability is fixed in 2026.05.1.

