CVE-2026-28361
Improper Token Validation in NocoDB Allows Unauthorized MCP Access
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28361 is a vulnerability in the npm package nocodb, specifically in the MCP token service before version 0.301.3.'}, {'type': 'paragraph', 'content': 'The issue occurs because the MCP token service methods (get(), regenerateToken(), and delete()) do not validate token ownership by failing to filter tokens based on the user ID.'}, {'type': 'paragraph', 'content': "This means that a user with the Creator role within the same database base can read, regenerate, or delete another user's MCP tokens if they know the token ID."}, {'type': 'paragraph', 'content': "This is an authorization bypass vulnerability classified under CWE-639, where authorization mechanisms fail to prevent access to another user's data by manipulating key identifiers."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 0.301.3 of nocodb.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow a user with the Creator role to access, regenerate, or delete MCP tokens belonging to other users if they know the token ID.
The primary impacts include unauthorized disclosure of scoped tokens and potential denial of service by invalidating tokens.
However, the impact is somewhat limited because the attacker must have the Creator role and know the token ID.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the MCP token service in NocoDB versions prior to 0.301.3, where token ownership is not validated, allowing a Creator role user to access or manipulate other users' tokens if the token ID is known."}, {'type': 'paragraph', 'content': 'Detection would require monitoring or auditing MCP token operations such as get(), regenerateToken(), and delete() calls to see if tokens belonging to other users are being accessed or manipulated.'}, {'type': 'paragraph', 'content': 'However, no specific commands or network detection methods are provided in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade NocoDB to version 0.301.3 or later, where the vulnerability has been patched.
Since the vulnerability requires a user with Creator role and knowledge of token IDs, restricting Creator role assignments and protecting token IDs can also reduce risk.