Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB is software for creating databases with spreadsheet‑style interfaces. Prior to version 2026.05.1, the public shared‑view relation endpoints accepted a caller‑supplied column ID without checking that the column was visible in the shared view. As a result, anyone holding a shared‑view UUID could request any column ID and receive data from any LTAR column in the underlying table, even if the view owner had hidden those columns. This flaw is an authorization bypass, identified as CWE‑284, and allows unauthorized reading of protected table columns, compromising data confidentiality.

Affected Systems

The affected product is NocoDB (nocodb:nocodb). Any installation using a version prior to 2026.05.1 is vulnerable. The problem exists in all public shared‑view relation endpoints that accept external column IDs.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting it is not known to be actively exploited. The threat is realistic because the shared view UUID is typically freely shared, and no authentication is required; an attacker merely needs the UUID and a valid column ID. With standard HTTP requests, the attacker can read the hidden column data and potentially correlate it with other information.

Generated by OpenCVE AI on June 24, 2026 at 02:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NocoDB 2026.05.1 where the authorization check is added.
  • Revoke any public shared‑view URLs that may have been exposed and request new UUIDs for the affected views.
  • If public sharing is unnecessary, disable shared view functionality or enforce stricter access controls to reduce exposure.

Generated by OpenCVE AI on June 24, 2026 at 02:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9wgh-m22w-9xj8 NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. This vulnerability is fixed in 2026.05.1.
Title NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:18:57.164Z

Reserved: 2026-05-18T23:03:37.230Z

Link: CVE-2026-47279

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses