CVE-2026-47378
Received Received - Intake
Stored Data Exposure in NocoDB via Hidden Column Disclosure

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47378
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.04.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects NocoDB versions prior to 2026.04.1. It involves public shared-view endpoints exposing data from columns that the view owner had intentionally hidden. There are three independent ways this exposure occurs: first, the groupBy function returns raw values for any column named in the request; second, filter and sort arrays operate on hidden columns, allowing extraction of data without visibility; third, the related-data list accepts arbitrary link-column IDs from other tables in the same database base, further exposing hidden data. This issue was fixed in version 2026.04.1.

Impact Analysis

This vulnerability can lead to unintended exposure of sensitive or confidential data that was meant to be hidden by the view owner. Attackers or unauthorized users could extract hidden column values through public shared views, potentially compromising data privacy and confidentiality.

Mitigation Strategies

To mitigate this vulnerability, upgrade NocoDB to version 2026.04.1 or later, where the issue has been fixed.

Compliance Impact

This vulnerability in NocoDB allowed public shared-view endpoints to expose values from columns that the view owner had hidden. Such unintended data exposure could lead to unauthorized disclosure of sensitive or personal information.

Exposure of hidden data through multiple independent paths may result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

By leaking data that was intended to be hidden, this vulnerability could undermine confidentiality requirements and increase the risk of data breaches, potentially leading to regulatory penalties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47378. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart