NocoDB, Authorization Bypass, CVE-2026-46552 (Moderate)

Listen to this Post

The vulnerability CVE-2026-46552 is an authorization flaw in NocoDB’s shared-base functionality. When a user creates a shared-base link (e.g., a publicly shareable view of a database), NocoDB assigns that session the same privileges as an authenticated “VIEWER” role. The system does not distinguish between a legitimate viewer with a valid session and an attacker who merely possesses the shared-base UUID (xc-shared-base-id). Because the role mapping incorrectly grants the `baseUserList` and `userInvite` permissions, an attacker with only the shared-base link can perform privileged actions. By sending a `GET /api/v2/meta/bases/:baseId/users` request, the attacker can enumerate all members of the base, exposing their email addresses. More critically, by sending a `POST /api/v2/meta/bases/:baseId/users` request, the attacker can invite any arbitrary email address to become a real member of the base. The backend then creates a real user entry in the `nc_users_v2` table and a corresponding entry in the `nc_base_users_v2` table, linking the invited email to the base. Once the attacker accepts the invitation via the normal signup flow, they gain a persistent JSON Web Token (JWT) that provides them with authenticated access to the base. This token is stored and remains valid even if the original shared link is later revoked, providing the attacker with durable, ongoing access.

dailycve form:

Platform: NocoDB
Version: <=0.301.3
Vulnerability: Authorization Bypass
Severity: Moderate
date: 2026-05-21

Prediction: 2026-05-15

Analytics under heading What Undercode Say:

Check NocoDB version
curl -s http://localhost:8080/api/v1/db/health | grep version
Enumerate base members using shared link UUID (e.g., xc-shared-base-id)
curl -X GET "http://localhost:8080/api/v2/meta/bases/BASE_ID/users" \
-H "xc-shared-base-id: SHARED_LINK_UUID" | jq
Invite arbitrary user to base via shared link
curl -X POST "http://localhost:8080/api/v2/meta/bases/BASE_ID/users" \
-H "xc-shared-base-id: SHARED_LINK_UUID" \
-H "Content-Type: application/json" \
-d '{"email": "[email protected]"}'

Exploit:

  1. Obtain any valid NocoDB shared-base UUID (e.g., by creating a shareable grid view).
  2. Using this UUID as the `xc-shared-base-id` header, send a GET request to `/api/v2/meta/bases/:baseId/users` to view all member emails.
  3. Using the same header, send a POST request to the same endpoint with a payload containing an email under your control.
  4. Accept the invitation via the normal signup flow, creating a persistent JWT.
  5. Use the JWT to access the base, which remains accessible even after the shared link is revoked.

Protection from this CVE

Upgrade to NocoDB version 0.301.4 or higher. The fix implements a new internal `ProjectRoles.SHARED_BASE` role, which does not include the `baseUserList` or `userInvite` permissions, and adds specific ACL middleware to differentiate between authenticated viewers and shared-session users.

Impact

  • Confidentiality: Exposure of member email addresses via the shared link.
  • Integrity: Unauthorized addition of new members, altering the base’s access control list.
  • Persistence: Conversion of link-based access into permanent, token-authenticated access that survives revocation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top