Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in NocoDB, a spreadsheet-like database builder, appears because the OAuth token strategy attaches oauth_scope and oauth_granted_resources to the request user but the ACL middleware never checks these attributes. As a consequence, an OAuth token issued with a confined scope, such as MCP-only, carries the full permissions of the underlying user on every route, and the base_id restriction in granted_resources is bypassed on org-level endpoints that omit req.context.base_id. This oversight permits an attacker who obtains or generates a constrained token to perform actions beyond the intended scope. The weakness is an access-control failure classified as CWE-863.

Affected Systems

NocoDB (vendor: nocodb, product: nocodb). All releases prior to version 2026.04.1 are affected. Update to 2026.04.1 or later to apply the fix that enforces scope at the ACL layer.

Risk and Exploitability

With a CVSS score of 2, the vulnerability is considered low severity, and there is no EPSS data available, suggesting a low likelihood of exploitation. It is not listed in CISA’s KEV catalog. The attack vector is inferred to be through the OAuth token issuance process; an attacker who can control or predict token scopes can bypass ACL checks. No public exploits are reported, but the risk remains for anyone who delegates restricted OAuth scopes to users.

Generated by OpenCVE AI on June 24, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later to enforce OAuth token scopes in the ACL middleware.
  • If upgrade is not immediately possible, restrict OAuth scopes to full access only and monitor token use for unauthorized activity.
  • Review existing OAuth tokens and revoke or reissue any that were granted with restricted scopes before the fix was applied.

Generated by OpenCVE AI on June 24, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5qg-rvjq-727p NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
History

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.
Title NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:17:16.868Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46549

cve-icon Vulnrichment

Updated: 2026-06-24T13:17:07.704Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:30:06Z

Weaknesses