SB2026042738 - Multiple vulnerabilities in NocoDB

Security Bulletin ID SB2026042738

Severity

Medium

Patch available

YES

Number of vulnerabilities 10

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2026-28357)

The vulnerability allows a remote user to execute arbitrary script in users' browsers.

The vulnerability exists due to cross-site scripting in the Formula virtual cell when rendering formula results containing URI::() patterns via v-html without sanitization. A remote user can create a crafted formula field value to execute arbitrary script in users' browsers.

Exploitation requires the Creator role and occurs when another user views the affected table.

2) Cross-site scripting (CVE-ID: CVE-2026-28359)

The vulnerability allows a remote user to execute arbitrary script in the browser of another user.

The vulnerability exists due to cross-site scripting in the Rich Text field rendering path when processing raw HTML submitted via the API. A remote user can send crafted HTML content to execute arbitrary script in the browser of another user.

The issue affects content rendered via v-html in TextArea.vue through NcMarkdownParser.parse(), and viewing the stored cell is required for exploitation.

3) Observable Response Discrepancy (CVE-ID: CVE-2026-28358)

The vulnerability allows a remote attacker to enumerate registered email addresses.

The vulnerability exists due to observable response discrepancy in the password reset endpoint when handling password reset requests. A remote attacker can send a password reset request with a chosen email address to enumerate registered email addresses.

No credentials or other data are exposed.

4) Unprotected storage of credentials (CVE-ID: CVE-2026-28360)

The vulnerability allows a remote attacker to disclose shared view passwords.

The vulnerability exists due to plaintext storage of a password in the nc_views password column when storing shared view passwords. A remote attacker can obtain database contents to disclose shared view passwords.

Verification used direct string equality in public-datas.service.ts, public-metas.service.ts, and calendar-datas.service.ts.

5) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-28361)

The vulnerability allows a remote user to disclose sensitive information or cause a denial of service.

The vulnerability exists due to improper access control in McpTokenService token operations when handling token get, regeneration, and deletion requests by token ID. A remote user can supply a known token ID belonging to another user to disclose scoped token information or invalidate the token.

Exploitation requires the Creator role within the same base and knowledge of the target token ID.

6) Insufficient Session Expiration (CVE-ID: CVE-2026-28396)

The vulnerability allows a remote user to maintain unauthorized access to the victim's account after a password reset.

The vulnerability exists due to insufficient session expiration in users.service.ts when processing password reset requests. A remote user can use a previously stolen refresh token to maintain unauthorized access to the victim's account after a password reset.

The issue occurs because existing refresh tokens remain valid and can still be used to mint valid JWTs until the token expires.

7) Cross-site scripting (CVE-ID: CVE-2026-28398)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in Comments.vue and TextArea.vue when rendering user-supplied comments and rich text content. A remote user can submit crafted comment or rich text content to execute arbitrary script in a victim's browser.

For the comments vector, commenter role is sufficient; for the rich text vector, editor role is required.

8) SQL injection (CVE-ID: CVE-2026-28399)

The vulnerability allows a remote user to disclose or modify data in the connected database.

The vulnerability exists due to SQL injection in the DATEADD formula handling when processing the unit parameter. A remote user can supply a crafted DATEADD formula to disclose or modify data in the connected database.

The issue affects MySQL, PostgreSQL, and SQLite function mappings, and exploitation requires Creator role privileges.

9) Cross-site scripting (CVE-ID: CVE-2026-28397)

The vulnerability allows a remote user to execute arbitrary script code in the browser of another user.

The vulnerability exists due to cross-site scripting in Comments.vue when rendering comment content. A remote user can inject arbitrary HTML in a comment to execute arbitrary script code in the browser of another user.

The issue affects comments parsed by markdown-it with HTML enabled and rendered via v-html, and script execution occurs when another user views the comment.

10) Cross-site scripting (CVE-ID: CVE-2026-28401)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in TextArea.vue when rendering rich text cell content. A remote user can inject arbitrary HTML into a rich text cell to execute arbitrary script in a victim's browser.

The issue affects content parsed by markdown-it with HTML enabled and viewed by other users.

Remediation

Install update from vendor's website.

SB2026042738 - Multiple vulnerabilities in NocoDB

Breakdown by Severity

Description

Remediation

References

Please verify you're human