Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3.
Published: 2026-03-02
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Compromise
Action: Patch
AI Analysis

Impact

Shared view passwords were stored in the database as plain text and compared with direct string equality. The vulnerability means that anyone who can read the database can obtain these passwords, and because the passwords are not protected, an attacker can use them to access the associated shared views without modification—leading to unauthorized disclosure of data.

Affected Systems

NocoDB versions prior to 0.301.3 are affected. The product vendor is nocodb:nocodb, and the issue exists only for these earlier releases of the software.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, and the EPSS score of less than 1 percent shows a very low likelihood of exploitation. The vulnerability was not listed in the CISA Known Exploited Vulnerabilities catalog, and the problem requires direct database access or the ability to read the stored credentials. The patch was released in version 0.301.3, so the risk is mitigated if the application is updated.

Generated by OpenCVE AI on April 16, 2026 at 14:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NocoDB version 0.301.3 or later, which removes the plaintext password storage and uses secure comparison.
  • If an upgrade is not immediately possible, reset all shared view passwords in the database and regenerate new passwords to eliminate the stored plaintext secrets.
  • Restrict and monitor database access, ensuring that only trusted administrators can read the credential store to prevent unauthorized extraction of sensitive data.

Generated by OpenCVE AI on April 16, 2026 at 14:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mpp2-x7wv-38hv NocoDB has Plaintext Storage of Shared View Passwords
History

Tue, 03 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
CPEs cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*
Vendors & Products Nocodb
Nocodb nocodb
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3.
Title NocoDB: Plaintext Storage of Shared View Passwords
Weaknesses CWE-256
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T16:01:21.017Z

Reserved: 2026-02-26T18:38:13.891Z

Link: CVE-2026-28360

cve-icon Vulnrichment

Updated: 2026-03-03T16:01:16.753Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:34.310

Modified: 2026-03-03T18:58:09.853

Link: CVE-2026-28360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses