Main Vulnerability Database Vulnerabilities #VU127985

Authorization bypass through user-controlled key in NocoDB - CVE-2026-28361

Published: April 27, 2026

Vulnerability identifier: #VU127985

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-28361

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: nocodb

Affected software:
NocoDB

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information or cause a denial of service.

The vulnerability exists due to improper access control in McpTokenService token operations when handling token get, regeneration, and deletion requests by token ID. A remote user can supply a known token ID belonging to another user to disclose scoped token information or invalidate the token.

Exploitation requires the Creator role within the same base and knowledge of the target token ID.

How to mitigate CVE-2026-28361

Install security update from vendor's website.

Sources

https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q

Authorization bypass through user-controlled key in NocoDB - CVE-2026-28361

Detailed vulnerability description

How to mitigate CVE-2026-28361

Sources

Please verify you're human