CVE-2026-28358
User Enumeration Vulnerability in NocoDB Password Reset Endpoint
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28358 is a user enumeration vulnerability in the NocoDB software versions prior to 0.301.3. The issue occurs in the password reset endpoint, which returns different responses depending on whether the submitted email address is registered or not.'}, {'type': 'paragraph', 'content': 'Specifically, when a user submits a registered email, the endpoint returns a success message, but when an unregistered email is submitted, it returns the message "Your email has not been registered." This difference in responses allows an attacker to determine if an email is registered in the system.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-204 (Observable Response Discrepancy) and does not expose any credentials or sensitive data. It was fixed in version 0.301.3 by standardizing the response regardless of email registration status.'}] [2]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to perform user enumeration by distinguishing whether an email address is registered in the NocoDB system.
While no credentials or sensitive data are directly exposed, user enumeration can aid attackers in targeted phishing, social engineering, or brute force attacks by confirming valid user accounts.
The severity of this issue is rated as low.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing the responses from the password forgot endpoint at POST /api/v2/auth/password/forgot. Specifically, sending requests with different email addresses and comparing the responses can reveal whether an email is registered or not.'}, {'type': 'list_item', 'content': 'Send a POST request with a registered email and note the response.'}, {'type': 'list_item', 'content': 'Send a POST request with an unregistered email and note the response.'}, {'type': 'list_item', 'content': 'If the responses differ (e.g., success message vs. "Your email has not been registered."), the system is vulnerable to user enumeration.'}, {'type': 'paragraph', 'content': 'Example curl commands to test this behavior:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-nocodb-instance/api/v2/auth/password/forgot -H "Content-Type: application/json" -d \'{"email":"[email protected]"}\''}, {'type': 'list_item', 'content': 'curl -X POST https://your-nocodb-instance/api/v2/auth/password/forgot -H "Content-Type: application/json" -d \'{"email":"[email protected]"}\''}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NocoDB to version 0.301.3 or later, where this vulnerability has been patched by standardizing the response from the password forgot endpoint regardless of email registration status.