CVE-2026-47380
Deferred Deferred - Pending Action

Timing Side-Channel in NocoDB Prior to 2026.04.1

Vulnerability report for CVE-2026-47380, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.04.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by performing timing analysis on sign-in attempts to the NocoDB authentication service. Specifically, an attacker or tester can measure the response times when submitting sign-in requests with different email addresses. If the response time for unknown email addresses is consistently faster than for known email addresses, this indicates the presence of the timing discrepancy vulnerability.

To detect this on your system, you can use command-line tools such as curl or specialized timing measurement scripts to send multiple sign-in requests and record the response times.

  • Use curl in a loop to send sign-in requests with known and unknown emails and measure response times, for example:
  • curl -w "%{time_total}\n" -o /dev/null -s -X POST https://your-nocodb-instance/api/v1/auth/signin -d '{"email":"[email protected]","password":"any"}'
  • curl -w "%{time_total}\n" -o /dev/null -s -X POST https://your-nocodb-instance/api/v1/auth/signin -d '{"email":"[email protected]","password":"any"}'

By comparing the total time taken for these requests, you can observe if unknown emails return faster responses, indicating the vulnerability.

Executive Summary

This vulnerability in NocoDB occurs because the sign-in response timing differs between known and unknown email addresses. Specifically, for unknown email addresses, the system returns a response without performing a password hash comparison, which can allow an attacker to distinguish valid from invalid users based on response time.

This timing difference can be exploited to enumerate valid email addresses in the system, potentially aiding further attacks.

The issue was fixed in version 2026.04.1 of NocoDB.

Impact Analysis

The vulnerability can allow attackers to determine which email addresses are registered in the NocoDB system by measuring differences in response times during sign-in attempts.

This user enumeration can lead to targeted attacks such as phishing, credential stuffing, or brute force attacks against known accounts.

While it does not directly allow unauthorized access, it lowers the barrier for attackers to identify valid users.

Mitigation Strategies

To mitigate this vulnerability, update NocoDB to version 2026.04.1 or later, where the timing difference issue in the sign-in response has been fixed.

Compliance Impact

This vulnerability allows an attacker to enumerate registered email addresses by measuring response times during sign-in attempts, potentially exposing user information.

Such user enumeration could lead to privacy concerns and may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and preventing unauthorized disclosure.

However, the vulnerability is classified as low severity and requires network access to exploit. The fix ensures consistent response times to mitigate this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47380. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart