Impact
The vulnerability in NocoDB, a spreadsheet-like database builder, appears because the OAuth token strategy attaches oauth_scope and oauth_granted_resources to the request user but the ACL middleware never checks these attributes. As a consequence, an OAuth token issued with a confined scope, such as MCP-only, carries the full permissions of the underlying user on every route, and the base_id restriction in granted_resources is bypassed on org-level endpoints that omit req.context.base_id. This oversight permits an attacker who obtains or generates a constrained token to perform actions beyond the intended scope. The weakness is an access-control failure classified as CWE-863.
Affected Systems
NocoDB (vendor: nocodb, product: nocodb). All releases prior to version 2026.04.1 are affected. Update to 2026.04.1 or later to apply the fix that enforces scope at the ACL layer.
Risk and Exploitability
With a CVSS score of 2, the vulnerability is considered low severity, and there is no EPSS data available, suggesting a low likelihood of exploitation. It is not listed in CISA’s KEV catalog. The attack vector is inferred to be through the OAuth token issuance process; an attacker who can control or predict token scopes can bypass ACL checks. No public exploits are reported, but the risk remains for anyone who delegates restricted OAuth scopes to users.
OpenCVE Enrichment
Github GHSA