CVE-2026-47388
Deferred Deferred - Pending Action

NocoDB MCP Token File Read Vulnerability

Vulnerability report for CVE-2026-47388, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. This vulnerability is fixed in 2026.05.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects NocoDB software versions prior to 2026.05.1. A low-privilege MCP token holder who knows the path to an attachment could read any file in the shared storage. This includes attachments that belong to other bases and workspaces. The issue arises because the MCP readAttachment tool did not verify whether the file being accessed was owned by the user, allowing unauthorized file access.

Impact Analysis

The vulnerability allows a user with low privileges to read files they should not have access to, potentially exposing sensitive or confidential information stored in attachments across different bases and workspaces. This unauthorized access could lead to data leakage and compromise the confidentiality of information within the shared storage.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.05.1 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows a low-privilege token holder to read any file in shared storage, including attachments from other bases and workspaces, without verifying file ownership.

Such unauthorized access to potentially sensitive files could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and protected health information.

Therefore, this vulnerability could negatively impact compliance with these standards by enabling unauthorized data exposure.

Detection Guidance

Detection of this vulnerability involves verifying whether your NocoDB installation is running a version prior to 2026.05.1, as those versions are vulnerable.

Since exploitation requires a low-privilege MCP token and knowledge of an attachment path, monitoring for unusual MCP token usage or unauthorized file access attempts in shared storage could help detect exploitation attempts.

No specific detection commands are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart