Impact
NocoDB is software for building databases with spreadsheet‑style interfaces. Before version 2026.05.1, the public shared‑view relation endpoints accepted a column ID supplied by the requester without verifying that the column was actually visible in the shared view. Specifically, while endpoints publicMmList, publicHmList, and relDataList validated that the requested column existed in the table’s model, they failed to check the view‑column entry’s show flag. Consequently, any user possessing a shared‑view UUID could supply any column ID and retrieve data from any LTAR column in the underlying table, including columns intentionally hidden by the view owner. This bug is a classic authorization bypass, classified as CWE‑284, and results in unauthorized exposure of protected column data.
Affected Systems
The affected product is NocoDB (nocodb:nocodb). Any installation using a version prior to 2026.05.1 is vulnerable. The problem exists in all public shared‑view relation endpoints that accept external column IDs.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting it is not known to be actively exploited. The threat is realistic because the shared view UUID is typically freely shared, and no authentication is required; an attacker merely needs the UUID and a valid column ID. Based on the description, it is inferred that a party possessing these two pieces of information can retrieve hidden column data without further authentication. With standard HTTP requests, the attacker can read the hidden column data and potentially correlate it with other information.
OpenCVE Enrichment
Github GHSA