Vulnerability-Lookup

GHSA-CHQV-VRJ7-QFFP

Vulnerability from github – Published: 2026-05-21 20:35 – Updated: 2026-05-21 20:35

Summary

NocoDB: Shared-base link access can invite arbitrary users as persistent base members

Details

Summary

Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link.

Details

Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers.

The end-to-end chain:

GET /api/v2/meta/bases/:baseId/users returned the member list to shared-base callers (@Acl('baseUserList')).
POST /api/v2/meta/bases/:baseId/users accepted an invite from shared-base callers (@Acl('userInvite')); base-users.service.ts inserted a real nc_users_v2 row with invite_token and a nc_base_users_v2 row for the target base, with invited_by = null.
The invited account redeemed the invite through the normal signup path (users.service.ts), gaining a persistent JWT scoped to the base.
Revoking the shared link did not affect the redeemed account.

Impact

Confidentiality: shared-base link exposes member email addresses.
Integrity: shared-base link can mutate base ACL state by creating new members.
Persistence: link-based access converts into durable authenticated access that survives revocation of the share.

Credit

This issue was reported by @0xmrma.

Severity

5.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46552"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T20:35:56Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nShared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (`xc-shared-base-id`), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link.\n\n### Details\n\nShared-base sessions were mapped to `ProjectRoles.VIEWER` in `packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts`, and `packages/nocodb/src/utils/acl.ts` granted `baseUserList` and `userInvite` to that role. The shared frontend (`packages/nc-gui/composables/useApi/interceptors.ts`) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers.\n\nThe end-to-end chain:\n\n- `GET /api/v2/meta/bases/:baseId/users` returned the member list to shared-base callers (`@Acl(\u0027baseUserList\u0027)`).\n- `POST /api/v2/meta/bases/:baseId/users` accepted an invite from shared-base callers (`@Acl(\u0027userInvite\u0027)`); `base-users.service.ts` inserted a real `nc_users_v2` row with `invite_token` and a `nc_base_users_v2` row for the target base, with `invited_by = null`.\n- The invited account redeemed the invite through the normal signup path (`users.service.ts`), gaining a persistent JWT scoped to the base.\n- Revoking the shared link did not affect the redeemed account.\n\n### Impact\n\n- Confidentiality: shared-base link exposes member email addresses.\n- Integrity: shared-base link can mutate base ACL state by creating new members.\n- Persistence: link-based access converts into durable authenticated access that survives revocation of the share.\n\n### Credit\n\nThis issue was reported by [@0xmrma](https://github.com/0xmrma).",
  "id": "GHSA-chqv-vrj7-qffp",
  "modified": "2026-05-21T20:35:56Z",
  "published": "2026-05-21T20:35:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-chqv-vrj7-qffp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NocoDB: Shared-base link access can invite arbitrary users as persistent base members"
}

CVE-2026-46552 (GCVE-0-2026-46552)

Vulnerability from cvelistv5 – Published: 2026-06-23 20:38 – Updated: 2026-06-24 14:43

Title

NocoDB: Shared-base link access can invite arbitrary users as persistent base members

Summary

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.

Severity

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-285 - Improper Authorization

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/nocodb/nocodb/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
nocodb	nocodb	Affected: < 2026.04.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46552",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T14:43:07.536646Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T14:43:31.515Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nocodb",
          "vendor": "nocodb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2026.04.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T20:38:29.333Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-chqv-vrj7-qffp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-chqv-vrj7-qffp"
        }
      ],
      "source": {
        "advisory": "GHSA-chqv-vrj7-qffp",
        "discovery": "UNKNOWN"
      },
      "title": "NocoDB: Shared-base link access can invite arbitrary users as persistent base members"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46552",
    "datePublished": "2026-06-23T20:38:29.333Z",
    "dateReserved": "2026-05-14T20:42:31.369Z",
    "dateUpdated": "2026-06-24T14:43:31.515Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-CHQV-VRJ7-QFFP

Summary

Details

Impact

Credit

CVE-2026-46552 (GCVE-0-2026-46552)

Tags

Sightings

Nomenclature