Impact
NocoDB is a database‑as‑spreadsheet platform. Before the 2026.04.1 release, shared‑base sessions were given the same base‑member privileges as authenticated viewers. Using only the shared‑base UUID (xc‑shared‑base‑id), an attacker can enumerate base members and invite an arbitrary email address to join the base as a real member. The invited user can redeem the invite through the normal signup process and keep authenticated access even if the link owner later revokes the shared link. This flaw occurs because shared‑base sessions are mapped to the ProjectRoles.VIEWER role and the ACL logic grants baseUserList and userInvite rights to that role, while the shared frontend removes auth headers in favor of the shared‑base header, causing the ACL middleware to treat shared sessions as normal viewers and allow the invitation.
Affected Systems
The vulnerability affects all NocoDB deployments running any version prior to 2026.04.1. NocoDB is the product delivered by the vendor nocodb.
Risk and Exploitability
The CVSS score of 5.8 indicates a moderate severity vulnerability. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by targeting a shared‑base link presented to a user; they can use the shared‑base UUID to invite additional users as base members. The lack of distinction between shared sessions and authenticated viewers in the ACL logic is the root of the issue.
OpenCVE Enrichment
Github GHSA