Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB is software for building databases with spreadsheet‑style interfaces. Before version 2026.05.1, the public shared‑view relation endpoints accepted a column ID supplied by the requester without verifying that the column was actually visible in the shared view. Specifically, while endpoints publicMmList, publicHmList, and relDataList validated that the requested column existed in the table’s model, they failed to check the view‑column entry’s show flag. Consequently, any user possessing a shared‑view UUID could supply any column ID and retrieve data from any LTAR column in the underlying table, including columns intentionally hidden by the view owner. This bug is a classic authorization bypass, classified as CWE‑284, and results in unauthorized exposure of protected column data.

Affected Systems

The affected product is NocoDB (nocodb:nocodb). Any installation using a version prior to 2026.05.1 is vulnerable. The problem exists in all public shared‑view relation endpoints that accept external column IDs.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting it is not known to be actively exploited. The threat is realistic because the shared view UUID is typically freely shared, and no authentication is required; an attacker merely needs the UUID and a valid column ID. Based on the description, it is inferred that a party possessing these two pieces of information can retrieve hidden column data without further authentication. With standard HTTP requests, the attacker can read the hidden column data and potentially correlate it with other information.

Generated by OpenCVE AI on June 24, 2026 at 09:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NocoDB 2026.05.1 where the authorization check is added.
  • Revoke any public shared‑view URLs that may have been exposed and request new UUIDs for the affected views.
  • If public sharing is unnecessary, disable shared view functionality or enforce stricter access controls to reduce exposure.

Generated by OpenCVE AI on June 24, 2026 at 09:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9wgh-m22w-9xj8 NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints
History

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. This vulnerability is fixed in 2026.05.1.
Title NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:15:02.366Z

Reserved: 2026-05-18T23:03:37.230Z

Link: CVE-2026-47279

cve-icon Vulnrichment

Updated: 2026-06-24T13:14:59.002Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses