PT-2026-42678 · Nocodb · Nocodb
Published
2026-05-21
·
Updated
2026-05-21
·
CVE-2026-46552
CVSS v3.1
5.8
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
NocoDB (affected versions not specified)
Description
An authorization bypass occurs because shared-base sessions are granted the same capabilities as authenticated viewers. By using the shared-base UUID
xc-shared-base-id, an attacker can enumerate base members and invite arbitrary email addresses to the base as real members. These invited users can then redeem the invitation through the standard signup process to obtain persistent authenticated access, which remains active even after the owner revokes the shared link.Technical details include:
- The endpoint 'GET /api/v2/meta/bases/:baseId/users' allows shared-base callers to retrieve the member list via the
baseUserListpermission. - The endpoint 'POST /api/v2/meta/bases/:baseId/users' allows shared-base callers to send invites via the
userInvitepermission. - The issue stems from the ACL middleware failing to distinguish between shared sessions and genuine viewers within the
base-view.strategy.tsandacl.tsfiles.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nocodb