Skip to content

Commit f3ecc59

Browse files
1 parent 57bdc4e commit f3ecc59

4 files changed

Lines changed: 247 additions & 0 deletions

File tree

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4w6r-5c2j-qf5f",
4+
"modified": "2026-06-05T16:03:11Z",
5+
"published": "2026-06-05T16:03:11Z",
6+
"aliases": [
7+
"CVE-2026-47378"
8+
],
9+
"summary": "NocoDB: Hidden Column Exposure in Public Shared View Endpoints",
10+
"details": "### Summary\nPublic shared-view endpoints exposed values from columns that the view owner had\nhidden, via three independent paths: groupBy returned raw values for any column\nnamed in the request, filter and sort arrays operated on hidden columns enabling\nboolean-blind extraction, and the related-data list accepted arbitrary link-column\nIDs from other tables in the same base.\n\n### Details\nA new `sanitizeListArgsForPublicView` helper now strips request keys that should\nnever be caller-controlled (e.g. `getHiddenColumn`, `nested`), parses `where`\nclauses against a restricted alias map that only contains visible columns, and\nrecursively removes filter/sort entries whose `fk_column_id` is not in the visible\nset. `validateGroupByColumnNames` and `validateGroupColumnId` reject groupBy\nrequests whose `column_name` (CSV-style) or `groupColumnId` is not in the visible\nor group-by column set. `relDataList` now checks `column.fk_model_id ===\ncurrentModel.id` before resolving the linked table, matching the pre-existing\ncheck on `publicMmList` and `publicHmList`.\n\n### Impact\nAnyone with a shared-view UUID could enumerate hidden-column values directly (via\ngroupBy), confirm hidden-column values by observing row counts (via filter), or\nread records from unrelated tables in the same base (via the related-data list).\nNo authentication was required.\n\n### Credit\nThis issue was reported by [@0xBassia](https://github.com/0xBassia).\nIt was independently reported by [@b-hermes](https://github.com/b-hermes).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "nocodb"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2026.04.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-4w6r-5c2j-qf5f"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/nocodb/nocodb"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.04.1"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-639"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-05T16:03:11Z",
59+
"nvd_published_at": null
60+
}
61+
}
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-96fh-m4r8-6v9v",
4+
"modified": "2026-06-05T16:04:32Z",
5+
"published": "2026-06-05T16:04:32Z",
6+
"aliases": [
7+
"CVE-2026-47381"
8+
],
9+
"summary": "NocoDB: Cross-Workspace Integration Use in Connection Test",
10+
"details": "### Summary\nA user in one workspace could exercise another workspace's integration through the\n`testConnection` endpoint by supplying its ID, because the integration was fetched in\na bypass scope and the caller's permission check matched any base in any workspace.\n\n### Details\nThe connection-test endpoint fetched the integration in `RootScopes.BYPASS` scope and\nchecked only that the integration was non-private and that the caller held an\nowner/creator role on any base in any workspace. The permission lookup is now scoped\nto the integration's workspace by joining on `fk_workspace_id`, and the controller\nrejects requests where the integration's workspace differs from the request's workspace.\n\n### Impact\nCross-tenant access to integration configuration through the connection-test endpoint,\nincluding the ability to drive the resolved database with the other workspace's\ncredentials. Authentication with creator-or-owner role on any base in any workspace\nwas sufficient.\n\n### Credit\nThis issue was reported by [@DongyangLyu](https://github.com/DongyangLyu).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "nocodb"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2026.05.1"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 2026.05.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-96fh-m4r8-6v9v"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/nocodb/nocodb"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.05.1"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-290"
58+
],
59+
"severity": "MODERATE",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-06-05T16:04:32Z",
62+
"nvd_published_at": null
63+
}
64+
}
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-jr54-jwhj-55gp",
4+
"modified": "2026-06-05T16:03:55Z",
5+
"published": "2026-06-05T16:03:55Z",
6+
"aliases": [
7+
"CVE-2026-47380"
8+
],
9+
"summary": "NocoDB: User Enumeration via Sign-In Timing",
10+
"details": "### Summary\nSign-in response timing differed between known and unknown email addresses because\nthe unknown-user branch returned without performing a password hash comparison.\n\n### Details\nThe unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against\na fixed dummy hash so the response time of failed sign-ins is approximately\nindependent of whether the address exists. Rate limiting on the sign-in endpoint is\nimplemented in the Enterprise build only and is not affected by this advisory.\n\n### Impact\nA network-positioned attacker could enumerate registered email addresses by timing\nsign-in responses. Exploitation requires only the ability to send unauthenticated\nsign-in requests.\n\n### Credit\nThis issue was reported by [@AndyAnh174](https://github.com/AndyAnh174).",
11+
"severity": [],
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "npm",
16+
"name": "nocodb"
17+
},
18+
"ranges": [
19+
{
20+
"type": "ECOSYSTEM",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
},
25+
{
26+
"fixed": "2026.04.1"
27+
}
28+
]
29+
}
30+
]
31+
}
32+
],
33+
"references": [
34+
{
35+
"type": "WEB",
36+
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-jr54-jwhj-55gp"
37+
},
38+
{
39+
"type": "PACKAGE",
40+
"url": "https://github.com/nocodb/nocodb"
41+
},
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.04.1"
45+
}
46+
],
47+
"database_specific": {
48+
"cwe_ids": [
49+
"CWE-208",
50+
"CWE-307"
51+
],
52+
"severity": "LOW",
53+
"github_reviewed": true,
54+
"github_reviewed_at": "2026-06-05T16:03:55Z",
55+
"nvd_published_at": null
56+
}
57+
}
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qhxg-623c-cfjm",
4+
"modified": "2026-06-05T16:03:33Z",
5+
"published": "2026-06-05T16:03:33Z",
6+
"aliases": [
7+
"CVE-2026-47379"
8+
],
9+
"summary": "NocoDB: Plaintext Password Comparison in Shared Views",
10+
"details": "### Summary\nThe shared-view password check fell back to strict-equality (`===`) comparison for\nlegacy plaintext passwords, leaking the password's length and per-character prefix\nthrough response timing.\n\n### Details\nThe bcrypt branch (hashes starting with `$2a$`/`$2b$`) was unaffected. The legacy\nfallback in `View.ts` now uses `crypto.timingSafeEqual` and a same-length dummy\ncompare on the length-mismatch path, so total comparison time is approximately\nlength-independent. The EE dashboard model's `verifyPassword` is patched the same way.\n\n### Impact\nA network-positioned attacker could mount a timing oracle against shared views whose\npasswords predated the bcrypt migration. Exploitation requires the ability to time\nshared-view authentication responses but no prior authentication.\n\n### Credit\nThis issue was reported by [@Proscan-one](https://github.com/Proscan-one).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "nocodb"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2026.05.1"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 2026.05.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-qhxg-623c-cfjm"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/nocodb/nocodb"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.05.1"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-200",
58+
"CWE-203"
59+
],
60+
"severity": "MODERATE",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-06-05T16:03:33Z",
63+
"nvd_published_at": null
64+
}
65+
}

0 commit comments

Comments
 (0)