CVE-2026-47388
LowCVSS 2.3Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 allowed low-privilege users to read files in shared storage, including attachments belonging to other bases and workspaces, if they knew the attachment path. This issue was due to the MCP readAttachment tool not verifying file ownership.
Risk Assessment
Organizations may be exposed to unauthorized access to sensitive data, potentially leading to information leaks and violations of user privacy.
Recommendation
It is recommended to upgrade NocoDB to version 2026.05.1 or later to mitigate this vulnerability and conduct an audit of data access.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. This vulnerability is fixed in 2026.05.1.

