PT-2026-46992 · Npm · Nocodb
Published
2026-06-05
·
Updated
2026-06-05
·
CVE-2026-47279
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
The public shared-view relation endpoints accepted a caller-supplied column
ID without verifying that the column was visible in the shared view, so
anyone holding a share UUID could read links from any LTAR column on the
view's table — including columns the view owner had hidden.
Details
publicMmList, publicHmList, and relDataList already ensured that the
requested column belonged to the view's model, but did not check the
view-column entry's show flag. All three handlers now also fetch the
shared view's column entries and reject the request unless the matching
entry has show=true. The four public relation routes covered by the fix
are:GET /api/v2/public/shared-view/:uuid/rows/:rowId/mm/:columnId(many-to-many)GET /api/v2/public/shared-view/:uuid/rows/:rowId/hm/:columnId(has-many)GET /api/v2/public/shared-view/:uuid/rows/:rowId/{ln,om}/:columnId(links / one-to-many — both share the many-to-many handler)GET /api/v2/public/shared-view/:uuid/nested/:columnId(form/gallery picker)
Impact
Anyone holding a share UUID could enumerate the full set of linked records
for any hidden LTAR column on the view's table by calling the relation
endpoint directly, even when the same column was correctly omitted from the
public
/rows response.Credit
This issue was reported by @leduckhuong.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nocodb