CVE-2026-47379
Received Received - Intake
Timing Attack in NocoDB Prior to 2026.05.1

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47379
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in NocoDB prior to version 2026.05.1 involves the shared-view password check mechanism. It used a fallback to strict-equality (===) comparison for legacy plaintext passwords, which caused information about the password's length and each character's prefix to be leaked through the timing of the response.

This timing leak could allow an attacker to infer details about the password by measuring how long the system takes to respond, potentially aiding in password guessing or cracking.

The issue was fixed in version 2026.05.1.

Impact Analysis

This vulnerability can impact you by exposing sensitive password information through timing attacks. An attacker could exploit this to determine the length and partial content of passwords used in shared views, increasing the risk of unauthorized access.

Such exposure can lead to compromised accounts or data breaches if attackers successfully guess or reconstruct passwords based on the leaked timing information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.05.1 or later, where the issue with the shared-view password check timing leak has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart