CVE Catalog

CVE-2026-56773

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

The Teable v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints such as GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.

Risk Assessment

The risk to the organization includes unauthorized access to sensitive data, its modification or deletion, which may lead to a breach of data integrity and confidentiality, as well as disruption of application operations.

Recommendation

Immediately update Teable to a version where appropriate @Permissions annotations have been added to all ORPC endpoints, and conduct an audit of the authorization configuration.

Original NVD description (English source)

Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS