CVE-2026-46552
Received Received - Intake
Privilege Escalation in NocoDB via Shared Base Session

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-46552
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb 2026.04.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects NocoDB software versions prior to 2026.04.1. Shared-base sessions were given the same capabilities as authenticated viewers, allowing an attacker who had only the shared-base UUID (xc-shared-base-id) to enumerate base members and invite any arbitrary email address into the base as a real member.

The invited user could then complete the normal signup process and gain authenticated access to the base, even after the owner revoked the shared link. This happened because the access control logic did not properly distinguish between shared sessions and genuine authenticated viewers.

The vulnerability was fixed in version 2026.04.1.

Impact Analysis

An attacker exploiting this vulnerability could gain unauthorized authenticated access to a NocoDB base by using only a shared-base UUID. This means they could invite themselves or others as legitimate members, potentially accessing sensitive data.

Even if the owner revokes the shared link, the attacker would retain access, which could lead to data exposure or unauthorized data manipulation.

Mitigation Strategies

The vulnerability is fixed in NocoDB version 2026.04.1. The immediate step to mitigate this vulnerability is to upgrade your NocoDB installation to version 2026.04.1 or later.

This update ensures that shared-base sessions no longer have the same capabilities as authenticated viewers, preventing attackers from enumerating base members or inviting arbitrary emails as real members.

Compliance Impact

This vulnerability allows an attacker to gain unauthorized authenticated access to a database by inviting arbitrary emails as real members and retaining access even after the owner revokes the shared link.

Such unauthorized access could lead to exposure or misuse of sensitive personal or protected health information, potentially violating data protection regulations such as GDPR or HIPAA.

Therefore, this vulnerability may negatively impact compliance with common standards and regulations that require strict access controls and protection of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46552. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart