Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB is software for building databases as spreadsheets. Prior to version 2026.04.1, public shared‑view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean‑blind extraction, and the related‑data list accepted arbitrary link‑column IDs from other tables in the same base. Consequently, any user with a public shared‑view URL can read sensitive data that was intended to remain concealed. The weakness is classified as CWE‑639.

Affected Systems

The affected product is NocoDB. All versions released before 2026.04.1 are vulnerable. The vulnerability was fixed in the 2026.04.1 release. No other vendors are implicated.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS value is not published. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker who can access a publicly shared view endpoint; no additional credentials or privileged access are needed. An attacker could craft requests that exploit groupBy, filter/sort, or related‑data paths to extract hidden column values. The ease of exploitation is high because the endpoints are exposed to anyone with the shared URL.

Generated by OpenCVE AI on June 24, 2026 at 09:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later.
  • If an upgrade is not immediately possible, reconfigure all shared views so that hidden columns are excluded from the view description or data set.
  • Disable public sharing of views entirely if the shared data does not need to be publicly accessible.

Generated by OpenCVE AI on June 24, 2026 at 09:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4w6r-5c2j-qf5f NocoDB: Hidden Column Exposure in Public Shared View Endpoints
History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Hidden Column Exposure in Public Shared View Endpoints
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T12:47:59.125Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47378

cve-icon Vulnrichment

Updated: 2026-06-25T12:47:55.793Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key