CVE-2026-46552
Deferred Deferred - Pending Action

Privilege Escalation in NocoDB via Shared Base Session

Vulnerability report for CVE-2026-46552, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb 2026.04.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects NocoDB software versions prior to 2026.04.1. Shared-base sessions were given the same capabilities as authenticated viewers, allowing an attacker who had only the shared-base UUID (xc-shared-base-id) to enumerate base members and invite any arbitrary email address into the base as a real member.

The invited user could then complete the normal signup process and gain authenticated access to the base, even after the owner revoked the shared link. This happened because the access control logic did not properly distinguish between shared sessions and genuine authenticated viewers.

The vulnerability was fixed in version 2026.04.1.

Compliance Impact

This vulnerability allows an attacker to gain unauthorized authenticated access to a database by inviting arbitrary emails as real members and retaining access even after the owner revokes the shared link.

Such unauthorized access could lead to exposure or misuse of sensitive personal or protected health information, potentially violating data protection regulations such as GDPR or HIPAA.

Therefore, this vulnerability may negatively impact compliance with common standards and regulations that require strict access controls and protection of sensitive data.

Impact Analysis

An attacker exploiting this vulnerability could gain unauthorized authenticated access to a NocoDB base by using only a shared-base UUID. This means they could invite themselves or others as legitimate members, potentially accessing sensitive data.

Even if the owner revokes the shared link, the attacker would retain access, which could lead to data exposure or unauthorized data manipulation.

Mitigation Strategies

The vulnerability is fixed in NocoDB version 2026.04.1. The immediate step to mitigate this vulnerability is to upgrade your NocoDB installation to version 2026.04.1 or later.

This update ensures that shared-base sessions no longer have the same capabilities as authenticated viewers, preventing attackers from enumerating base members or inviting arbitrary emails as real members.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46552. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart