CVE-2026-56773
Received Received - Intake
Teable v2 REST API Authorization Bypass via Missing Permissions

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: VulnCheck

Description
Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-56773
EUVD
EUVD-2026-39774
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
teableio teable to 2026-06-15T04-43-24Z.1912 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows any authenticated user to bypass authorization checks and perform unauthorized actions such as reading table schemas, creating tables, and modifying or deleting records across bases and tables.

Such unauthorized access and modification of data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

However, the provided information does not explicitly state the impact on compliance with these standards.

Executive Summary

The vulnerability in Teable's v2 REST API controller is due to missing @Permissions metadata on ORPC endpoints. This absence causes a lack of authorization checks, allowing any authenticated user to bypass these controls.

As a result, attackers can perform unauthorized actions such as reading table schemas, creating new tables, and modifying or deleting records across different bases and tables using endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.

Impact Analysis

This vulnerability can have a significant impact by allowing any authenticated user to bypass authorization and gain unauthorized access to sensitive data and operations.

  • Attackers can read table schemas, exposing database structure and potentially sensitive metadata.
  • They can create new tables, which might be used to manipulate or corrupt data.
  • They can modify or delete records across various bases and tables, leading to data loss, corruption, or unauthorized data manipulation.

Given the high CVSS score of 8.7, this vulnerability poses a critical risk to data integrity, confidentiality, and availability.

Mitigation Strategies

To mitigate the CVE-2026-56773 vulnerability in Teable's v2 REST API, you should upgrade to the fixed version released after 2026-06-15T04-43-24Z.1912, as this release addresses the missing authorization checks.

Since the vulnerability allows any authenticated user to bypass authorization checks, restricting access to the API endpoints to trusted users only and monitoring API usage for suspicious activity can also help reduce risk until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56773. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart