CVE-2026-46549
Received Received - Intake
Privilege Escalation in NocoDB via OAuth Token Misconfiguration

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-46549
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.04.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows OAuth tokens with restricted scopes to inherit full permissions of the underlying user, bypassing intended access controls on organization-level endpoints.

Such unauthorized access could lead to exposure or misuse of sensitive data, potentially impacting compliance with data protection regulations like GDPR and HIPAA that require strict access controls and data minimization.

Executive Summary

This vulnerability exists in NocoDB versions prior to 2026.04.1. The OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the access control middleware did not check these values. As a result, an OAuth token issued with restricted scopes (for example, limited to MCP-only) would still inherit the full permissions of the underlying user across all routes. Additionally, restrictions based on granted_resources.base_id were bypassed on organization-level endpoints that do not populate the base_id in the request context.

This means that the intended access restrictions of OAuth tokens were not enforced properly, allowing tokens to access more resources than they should.

Impact Analysis

The vulnerability can lead to unauthorized access where OAuth tokens with restricted scopes gain broader permissions than intended. This could allow an attacker or a compromised token to access or interact with data and resources beyond their authorized scope, potentially exposing sensitive information or allowing unintended actions within the NocoDB environment.

Mitigation Strategies

The vulnerability is fixed in NocoDB version 2026.04.1. To mitigate this vulnerability, you should upgrade your NocoDB installation to version 2026.04.1 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart