CVE-2026-47388
Received Received - Intake
NocoDB MCP Token File Read Vulnerability

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47388
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects NocoDB software versions prior to 2026.05.1. A low-privilege MCP token holder who knows the path to an attachment could read any file in the shared storage. This includes attachments that belong to other bases and workspaces. The issue arises because the MCP readAttachment tool did not verify whether the file being accessed was owned by the user, allowing unauthorized file access.

Impact Analysis

The vulnerability allows a user with low privileges to read files they should not have access to, potentially exposing sensitive or confidential information stored in attachments across different bases and workspaces. This unauthorized access could lead to data leakage and compromise the confidentiality of information within the shared storage.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.05.1 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows a low-privilege token holder to read any file in shared storage, including attachments from other bases and workspaces, without verifying file ownership.

Such unauthorized access to potentially sensitive files could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and protected health information.

Therefore, this vulnerability could negatively impact compliance with these standards by enabling unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart