Improper Authorization in NocoDB - CVE-2026-46552
Published: May 23, 2026
Vulnerability identifier: #VU132189
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-46552
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: nocodb
Affected software:
NocoDB
NocoDB
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and gain persistent unauthorized access.
The vulnerability exists due to improper authorization in shared-base session handling and access control logic when processing requests authenticated only with the shared-base UUID header. A remote attacker can enumerate base members and invite an arbitrary email address into the base to disclose sensitive information and gain persistent unauthorized access.
The invited user can redeem the invite through the normal signup flow, and the resulting authenticated access remains even after the shared link is revoked.
How to mitigate CVE-2026-46552
Install security update from vendor's website.