CVE-2026-47380

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Summary

Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison.

Details

The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response time of failed sign-ins is approximately independent of whether the address exists. Rate limiting on the sign-in endpoint is implemented in the Enterprise build only and is not affected by this advisory.

Impact

A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests.

Credit

This issue was reported by @AndyAnh174.

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307CWE-208

Related Identifiers

CVE-2026-47380

GHSA-JR54-JWHJ-55GP

Affected Products

Nocodb

CVE-2026-47380

Summary

Details

Impact

Credit

Weakness Enumeration

Related Identifiers

Affected Products

References · 4