PT-2026-46999 · Npm · Nocodb
Published
2026-06-05
·
Updated
2026-06-05
·
CVE-2026-47381
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
A user in one workspace could exercise another workspace's integration through the
testConnection endpoint by supplying its ID, because the integration was fetched in
a bypass scope and the caller's permission check matched any base in any workspace.Details
The connection-test endpoint fetched the integration in
RootScopes.BYPASS scope and
checked only that the integration was non-private and that the caller held an
owner/creator role on any base in any workspace. The permission lookup is now scoped
to the integration's workspace by joining on fk workspace id, and the controller
rejects requests where the integration's workspace differs from the request's workspace.Impact
Cross-tenant access to integration configuration through the connection-test endpoint,
including the ability to drive the resolved database with the other workspace's
credentials. Authentication with creator-or-owner role on any base in any workspace
was sufficient.
Credit
This issue was reported by @DongyangLyu.
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nocodb