Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB is a database‑as‑spreadsheet platform. Prior to version 2026.04.1, shared‑base sessions were granted the same base‑member capabilities as authenticated viewers. By supplying only the shared‑base UUID (xc‑shared‑base‑id), an attacker can enumerate current base members and issue a new invitation to any arbitrary email address. The invited user can accept the invite via the normal signup flow, thereby gaining authenticated access that persists even if the link owner revokes the shared link, effectively allowing unauthorized persistent membership and privilege escalation within the base.

Affected Systems

The vulnerability affects all NocoDB deployments running any version prior to 2026.04.1. NocoDB is the product delivered by the vendor nocodb.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate severity vulnerability. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by targeting a shared‑base link presented to a user; they can use the shared‑base UUID to invite additional users as base members. The lack of distinction between shared sessions and authenticated viewers in the ACL logic is the root of the issue.

Generated by OpenCVE AI on June 24, 2026 at 02:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or laters shared‑base sessions.
  • If an upgrade cannot be performed immediately, temporarily disable or restrict the generation of shared‑base links so that users cannot create or share these links until the patch is applied.
  • After the upgrade, audit the base for any unexpected or newly added members and revoke any accounts that were added through the shared link.

Generated by OpenCVE AI on June 24, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-chqv-vrj7-qffp NocoDB: Shared-base link access can invite arbitrary users as persistent base members
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Shared-base link access can invite arbitrary users as persistent base members
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:38:29.333Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46552

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses