Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB’s shared-view password check used strict-equality (===) comparison for legacy plaintext passwords prior to version 2026.05.1, leaking the password’s length and per-character prefix through response timing, a type of sensitive information exposure (CWE‑200) and an information‑exposure‑through‑timing flaw (CWE‑203). This plaintext password comparison flaw enables an attacker to infer the password via a remote timing side‑channel and, with iterative attempts, gain unauthorized access to data exposed through the shared view. The vulnerability has been fixed in 2026.05.1.

Affected Systems

All installations of NocoDB running a version older than 2026.05.1 are affected. The vulnerability is confined to NocoDB; no other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 places the vulnerability in the moderate risk range. EPSS data is unavailable, and the flaw is not listed in CISA’s KEV catalog. The likely attack vector is a remote timing attack against the shared view access interface, requiring only the ability to issue repeated HTTP requests to the protected resource. Successful exploitation would not provide code execution but would allow iterative password brute‑force and subsequent unauthorized data access.

Generated by OpenCVE AI on June 24, 2026 at 10:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.05.1 or later, in which the plaintext password handling has been corrected.
  • If an upgrade cannot be performed immediately, disable or remove password protection from shared views until the patch is applied.
  • Implement rate limiting or random response delays on the shared view endpoints as a temporary mitigation against timing attacks until the vulnerability is fixed.

Generated by OpenCVE AI on June 24, 2026 at 10:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qhxg-623c-cfjm NocoDB: Plaintext Password Comparison in Shared Views
History

Tue, 23 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.
Title NocoDB: Plaintext Password Comparison in Shared Views
Weaknesses CWE-200
CWE-203
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:17:51.829Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47379

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-203

    Observable Discrepancy