Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB is a database‑as‑spreadsheet platform. Before the 2026.04.1 release, shared‑base sessions were given the same base‑member privileges as authenticated viewers. Using only the shared‑base UUID (xc‑shared‑base‑id), an attacker can enumerate base members and invite an arbitrary email address to join the base as a real member. The invited user can redeem the invite through the normal signup process and keep authenticated access even if the link owner later revokes the shared link. This flaw occurs because shared‑base sessions are mapped to the ProjectRoles.VIEWER role and the ACL logic grants baseUserList and userInvite rights to that role, while the shared frontend removes auth headers in favor of the shared‑base header, causing the ACL middleware to treat shared sessions as normal viewers and allow the invitation.

Affected Systems

The vulnerability affects all NocoDB deployments running any version prior to 2026.04.1. NocoDB is the product delivered by the vendor nocodb.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate severity vulnerability. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by targeting a shared‑base link presented to a user; they can use the shared‑base UUID to invite additional users as base members. The lack of distinction between shared sessions and authenticated viewers in the ACL logic is the root of the issue.

Generated by OpenCVE AI on June 24, 2026 at 09:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later to fix the shared‑base session handling.
  • If an upgrade cannot be performed immediately, temporarily disable or restrict the generation of shared‑base links so that users cannot create or share these links until the patch is applied.
  • After the upgrade, audit the base for any unexpected or newly added members and revoke any accounts that were added through the shared link.

Generated by OpenCVE AI on June 24, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-chqv-vrj7-qffp NocoDB: Shared-base link access can invite arbitrary users as persistent base members
History

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Shared-base link access can invite arbitrary users as persistent base members
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T14:43:31.515Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46552

cve-icon Vulnrichment

Updated: 2026-06-24T14:43:18.782Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses