Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 2 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in NocoDB exists because, before version 2026.04.1, the OAuth token strategy attaches oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consults these fields. As a result, an OAuth token issued with a restricted scope, such as MCP-only, inherits the full permissions of the underlying user across all routes. Additionally, the granted_resources.base_id restriction is bypassed on org‑level endpoints that do not populate req.context.base_id. This flaw allows an attacker who obtains or generates a scoped token to perform operations beyond the intended scope, effectively escalating privileges. The weakness is an access‑control failure (CWE‑863).

Affected Systems

NocoDB (vendor: nocodb, product: nocodb). All releases prior to version 2026.04.1 are affected. Update to 2026.04.1 or later to apply the fix that enforces scope at the ACL layer.

Risk and Exploitability

With a CVSS score of 2, the vulnerability is considered low severity, and there is no EPSS data available, suggesting a low likelihood of exploitation. It is not listed in CISA’s KEV catalog. The attack vector is inferred to be through the OAuth token issuance process; an attacker who can control or predict token scopes can bypass ACL checks. No public exploits are reported, but the risk remains for anyone who delegates restricted OAuth scopes to users.

Generated by OpenCVE AI on June 24, 2026 at 02:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later to enforce OAuth token scopes in the ACL middleware.
  • If upgrade is not immediately possible, restrict OAuth scopes to full access only and monitor token use for unauthorized activity.
  • Review existing OAuth tokens and revoke or reissue any that were granted with restricted scopes before the fix was applied.

Generated by OpenCVE AI on June 24, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5qg-rvjq-727p NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.
Title NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:40:24.037Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46549

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses