CVE-2026-28358
Received Received - Intake
User Enumeration Vulnerability in NocoDB Password Reset Endpoint

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28358
EUVD
EUVD-2026-9207
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 0.301.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28358 is a user enumeration vulnerability in the NocoDB software versions prior to 0.301.3. The issue occurs in the password reset endpoint, which returns different responses depending on whether the submitted email address is registered or not.'}, {'type': 'paragraph', 'content': 'Specifically, when a user submits a registered email, the endpoint returns a success message, but when an unregistered email is submitted, it returns the message "Your email has not been registered." This difference in responses allows an attacker to determine if an email is registered in the system.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-204 (Observable Response Discrepancy) and does not expose any credentials or sensitive data. It was fixed in version 0.301.3 by standardizing the response regardless of email registration status.'}] [2]

Impact Analysis

This vulnerability allows an unauthenticated attacker to perform user enumeration by distinguishing whether an email address is registered in the NocoDB system.

While no credentials or sensitive data are directly exposed, user enumeration can aid attackers in targeted phishing, social engineering, or brute force attacks by confirming valid user accounts.

The severity of this issue is rated as low.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing the responses from the password forgot endpoint at POST /api/v2/auth/password/forgot. Specifically, sending requests with different email addresses and comparing the responses can reveal whether an email is registered or not.'}, {'type': 'list_item', 'content': 'Send a POST request with a registered email and note the response.'}, {'type': 'list_item', 'content': 'Send a POST request with an unregistered email and note the response.'}, {'type': 'list_item', 'content': 'If the responses differ (e.g., success message vs. "Your email has not been registered."), the system is vulnerable to user enumeration.'}, {'type': 'paragraph', 'content': 'Example curl commands to test this behavior:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-nocodb-instance/api/v2/auth/password/forgot -H "Content-Type: application/json" -d \'{"email":"[email protected]"}\''}, {'type': 'list_item', 'content': 'curl -X POST https://your-nocodb-instance/api/v2/auth/password/forgot -H "Content-Type: application/json" -d \'{"email":"[email protected]"}\''}] [2]

Mitigation Strategies

The immediate mitigation step is to upgrade NocoDB to version 0.301.3 or later, where this vulnerability has been patched by standardizing the response from the password forgot endpoint regardless of email registration status.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28358. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart