Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A timing discrepancy in NocoDB’s sign‑in handler allows an attacker to determine whether a given email address is registered on the platform. Prior to 2026.04.1, the unknown‑user branch returned without performing a password hash comparison, creating a measurable difference in response time. This flaw enables an attacker to enumerate valid user accounts and potentially target subsequent credential‑guessing or social‑engineering attacks, but does not directly grant account access or execute code. The weakness is categorized as CWE‑208 and CWE‑307.

Affected Systems

The vulnerability affects installations of NocoDB released before 2026.04.1. Users running any older version of the software are exposed until they upgrade to 2026.04.1 or later, which removes the timing difference.

Risk and Exploitability

With a CVSS score of 6.3, this vulnerability is considered moderate. Attackers can abuse the public sign‑in endpoint over the network without requiring authentication or special permissions. By measuring response times, they can determine if an email address is known to the system, enabling account enumeration. This information can be used to focus password‑spraying, phishing, or other targeted attacks. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, indicating limited evidence of widespread exploitation, though the exposure remains valuable for threat actors.

Generated by OpenCVE AI on June 24, 2026 at 10:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later, which removes the timing discrepancy in the sign‑in flow.
  • Configure the authentication endpoint to return a constant, generic response time regardless of whether the email exists, thereby eliminating timing clues.
  • Implement rate limiting or CAPTCHA on the sign‑in endpoint and enforce multi‑factor authentication to reduce the effectiveness of any remaining enumeration attempts.

Generated by OpenCVE AI on June 24, 2026 at 10:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jr54-jwhj-55gp NocoDB: User Enumeration via Sign-In Timing
History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
Title NocoDB: User Enumeration via Sign-In Timing
Weaknesses CWE-208
CWE-307
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T12:32:30.767Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47380

cve-icon Vulnrichment

Updated: 2026-06-24T12:32:25.295Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses
  • CWE-208

    Observable Timing Discrepancy

  • CWE-307

    Improper Restriction of Excessive Authentication Attempts