CVE-2026-28360
Plaintext Password Storage Vulnerability in NocoDB Shared Views
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-256 | The product stores a password in plaintext within resources such as memory or files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28360 is a security vulnerability in the npm package nocodb affecting versions up to 0.301.2. The vulnerability involves the storage of shared view passwords in plaintext within the database, specifically in the "password" column of the "nc_views" table.'}, {'type': 'paragraph', 'content': 'Password verification was done using direct string equality comparisons without any hashing or encryption, which means that if an attacker gains access to the database, they can immediately read all shared view passwords in plaintext.'}, {'type': 'paragraph', 'content': 'This flaw is classified under CWE-256 (Plaintext Storage of a Password) and was fixed in version 0.301.3 of nocodb.'}] [1]
How can this vulnerability impact me? :
If an attacker compromises the database, they can read all shared view passwords in plaintext due to the lack of encryption or hashing.
The primary risk arises if users reuse these shared view passwords elsewhere, potentially allowing attackers to gain unauthorized access to other accounts or services.
Overall, the vulnerability has a low severity rating but can lead to exposure of sensitive credentials.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the database used by NocoDB for the presence of plaintext shared view passwords. Specifically, you should check the "password" column in the "nc_views" table for any stored passwords in plaintext.'}, {'type': 'paragraph', 'content': 'Since the passwords are stored without hashing or encryption, querying the database directly can reveal the issue.'}, {'type': 'list_item', 'content': 'Run a SQL query such as: SELECT password FROM nc_views WHERE password IS NOT NULL;'}, {'type': 'list_item', 'content': 'Check the version of NocoDB installed to confirm if it is prior to 0.301.3, as versions up to 0.301.2 are vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade NocoDB to version 0.301.3 or later, where this vulnerability has been patched.
Additionally, consider resetting shared view passwords to new values after the upgrade to ensure any previously exposed plaintext passwords are no longer valid.
Limit access to the database to prevent unauthorized reading of stored passwords.