CVE-2026-46549
Deferred Deferred - Pending Action

Privilege Escalation in NocoDB via OAuth Token Misconfiguration

Vulnerability report for CVE-2026-46549, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.04.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoDB versions prior to 2026.04.1. The OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the access control middleware did not check these values. As a result, an OAuth token issued with restricted scopes (for example, limited to MCP-only) would still inherit the full permissions of the underlying user across all routes. Additionally, restrictions based on granted_resources.base_id were bypassed on organization-level endpoints that do not populate the base_id in the request context.

This means that the intended access restrictions of OAuth tokens were not enforced properly, allowing tokens to access more resources than they should.

Impact Analysis

The vulnerability can lead to unauthorized access where OAuth tokens with restricted scopes gain broader permissions than intended. This could allow an attacker or a compromised token to access or interact with data and resources beyond their authorized scope, potentially exposing sensitive information or allowing unintended actions within the NocoDB environment.

Mitigation Strategies

The vulnerability is fixed in NocoDB version 2026.04.1. To mitigate this vulnerability, you should upgrade your NocoDB installation to version 2026.04.1 or later.

Detection Guidance

This vulnerability involves improper enforcement of OAuth token scopes in NocoDB, where OAuth tokens with restricted scopes may inherit full user permissions. Detection involves verifying whether OAuth tokens are being accepted with scopes that should be restricted and checking if org-level endpoints are accessible without proper base/workspace restrictions.

To detect this on your system, you can monitor API requests to org-level endpoints and inspect the OAuth token scopes and granted resources associated with those requests. Look for requests where the OAuth token scope is limited (e.g., MCP-only) but the request is able to access broader resources than allowed.

Suggested commands include capturing and inspecting HTTP requests to NocoDB endpoints using tools like curl or network packet analyzers (e.g., tcpdump, Wireshark) to verify token scopes and access permissions.

  • Use curl to make an API request with an OAuth token and check the response for unauthorized access: curl -H "Authorization: Bearer <token>" https://<nocodb-instance>/api/v3/org-level-endpoint
  • Use tcpdump or Wireshark to capture traffic and analyze OAuth token scopes in requests to NocoDB endpoints.
  • Review server logs for requests where OAuth tokens with restricted scopes are accessing org-level endpoints without base_id restrictions.
Compliance Impact

This vulnerability allows OAuth tokens with restricted scopes to inherit full permissions of the underlying user, bypassing intended access controls on organization-level endpoints.

Such unauthorized access could lead to exposure or misuse of sensitive data, potentially impacting compliance with data protection regulations like GDPR and HIPAA that require strict access controls and data minimization.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart