CVE-2026-28360
Received Received - Intake
Plaintext Password Storage Vulnerability in NocoDB Shared Views

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28360
EUVD
EUVD-2026-9209
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 0.301.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-256 The product stores a password in plaintext within resources such as memory or files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28360 is a security vulnerability in the npm package nocodb affecting versions up to 0.301.2. The vulnerability involves the storage of shared view passwords in plaintext within the database, specifically in the "password" column of the "nc_views" table.'}, {'type': 'paragraph', 'content': 'Password verification was done using direct string equality comparisons without any hashing or encryption, which means that if an attacker gains access to the database, they can immediately read all shared view passwords in plaintext.'}, {'type': 'paragraph', 'content': 'This flaw is classified under CWE-256 (Plaintext Storage of a Password) and was fixed in version 0.301.3 of nocodb.'}] [1]

Impact Analysis

If an attacker compromises the database, they can read all shared view passwords in plaintext due to the lack of encryption or hashing.

The primary risk arises if users reuse these shared view passwords elsewhere, potentially allowing attackers to gain unauthorized access to other accounts or services.

Overall, the vulnerability has a low severity rating but can lead to exposure of sensitive credentials.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the database used by NocoDB for the presence of plaintext shared view passwords. Specifically, you should check the "password" column in the "nc_views" table for any stored passwords in plaintext.'}, {'type': 'paragraph', 'content': 'Since the passwords are stored without hashing or encryption, querying the database directly can reveal the issue.'}, {'type': 'list_item', 'content': 'Run a SQL query such as: SELECT password FROM nc_views WHERE password IS NOT NULL;'}, {'type': 'list_item', 'content': 'Check the version of NocoDB installed to confirm if it is prior to 0.301.3, as versions up to 0.301.2 are vulnerable.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade NocoDB to version 0.301.3 or later, where this vulnerability has been patched.

Additionally, consider resetting shared view passwords to new values after the upgrade to ensure any previously exposed plaintext passwords are no longer valid.

Limit access to the database to prevent unauthorized reading of stored passwords.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28360. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart