CVE-2026-56773
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
The Teable v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints such as GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.
Risk Assessment
The risk to the organization includes unauthorized access to sensitive data, its modification or deletion, which may lead to a breach of data integrity and confidentiality, as well as disruption of application operations.
Recommendation
Immediately update Teable to a version where appropriate @Permissions annotations have been added to all ORPC endpoints, and conduct an audit of the authorization configuration.
Original NVD description (English source)
Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.

