CVE-2026-47379
Deferred Deferred - Pending Action

Timing Attack in NocoDB Prior to 2026.05.1

Vulnerability report for CVE-2026-47379, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in NocoDB prior to version 2026.05.1 involves the shared-view password check mechanism. It used a fallback to strict-equality (===) comparison for legacy plaintext passwords, which caused information about the password's length and each character's prefix to be leaked through the timing of the response.

This timing leak could allow an attacker to infer details about the password by measuring how long the system takes to respond, potentially aiding in password guessing or cracking.

The issue was fixed in version 2026.05.1.

Impact Analysis

This vulnerability can impact you by exposing sensitive password information through timing attacks. An attacker could exploit this to determine the length and partial content of passwords used in shared views, increasing the risk of unauthorized access.

Such exposure can lead to compromised accounts or data breaches if attackers successfully guess or reconstruct passwords based on the leaked timing information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.05.1 or later, where the issue with the shared-view password check timing leak has been fixed.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves a timing side-channel leak during shared-view password checks in NocoDB versions prior to 2026.05.1. Detection would require observing or measuring response timing differences when attempting to authenticate with legacy plaintext passwords.

A practical approach to detect this vulnerability on your system or network is to perform timing analysis against the shared-view password authentication endpoint by sending multiple password guesses and measuring response times to identify timing discrepancies that leak password length or character information.

Specific commands are not provided in the available resources, but you can use tools like curl or custom scripts in Python or other languages to repeatedly send authentication requests with varying password inputs and measure response times. For example, using curl in a loop with different passwords and timing the responses could help detect timing leaks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart