CVE-2026-47380
Received Received - Intake
Timing Side-Channel in NocoDB Prior to 2026.04.1

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47380
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.04.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in NocoDB occurs because the sign-in response timing differs between known and unknown email addresses. Specifically, for unknown email addresses, the system returns a response without performing a password hash comparison, which can allow an attacker to distinguish valid from invalid users based on response time.

This timing difference can be exploited to enumerate valid email addresses in the system, potentially aiding further attacks.

The issue was fixed in version 2026.04.1 of NocoDB.

Impact Analysis

The vulnerability can allow attackers to determine which email addresses are registered in the NocoDB system by measuring differences in response times during sign-in attempts.

This user enumeration can lead to targeted attacks such as phishing, credential stuffing, or brute force attacks against known accounts.

While it does not directly allow unauthorized access, it lowers the barrier for attackers to identify valid users.

Mitigation Strategies

To mitigate this vulnerability, update NocoDB to version 2026.04.1 or later, where the timing difference issue in the sign-in response has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47380. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart