Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 2026.04.1, NocoDB’s public shared‑view endpoints exposed values from columns that the view owner had hidden. The vulnerability was realized through three distinct code paths: a groupBy function returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean‑blind extraction, and the related‑data list accepted arbitrary link‑column IDs from other tables in the same base. Consequently, any user with a public shared‑view URL could read sensitive data that was intended to remain concealed. The weakness is classified as CWE‑639, reflecting an information‑exposure defect arising from insufficient authorization checks.

Affected Systems

The affected product is NocoDB. All versions released before 2026.04.1 are vulnerable. The vulnerability was fixed in the 2026.04.1 release. No other vendors are implicated.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS value is not published. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker who can access a publicly shared view endpoint; no additional credentials or privileged access are needed. An attacker could craft requests that exploit groupBy, filter/sort, or related‑data paths to extract hidden column values. The ease of exploitation is high because the endpoints are exposed to anyone with the shared URL.

Generated by OpenCVE AI on June 24, 2026 at 02:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later.
  • If an upgrade is not immediately possible, reconfigure all shared views so that hidden columns are excluded from the view description or data set.
  • Disable public sharing of views entirely if the shared data does not need to be publicly accessible.

Generated by OpenCVE AI on June 24, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4w6r-5c2j-qf5f NocoDB: Hidden Column Exposure in Public Shared View Endpoints
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Hidden Column Exposure in Public Shared View Endpoints
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:34:10.037Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47378

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key