Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A timing discrepancy in NocoDB’s sign‑in handler allows an attacker to determine whether a given email address is registered on the platform. Prior to 2026.04.1, the unknown‑user branch returned without performing a password hash comparison, creating a measurable difference in response time. This flaw enables an attacker to enumerate valid user accounts and potentially target subsequent credential‑guessing or social‑engineering attacks, but does not directly grant account access or execute code. The weakness is categorized as CWE‑208 and CWE‑307.

Affected Systems

The vulnerability affects installations of NocoDB released before 2026.04.1. Users running any older version of the software are exposed until they upgrade to 2026.04.1 or later, which removes the timing difference.

Risk and Exploitability

With a CVSS score of 6.3 the flaw is considered moderate in severity. The EPSS value is not available, and the issue is not listed in CISA’s KEV catalog. The attack vector is a network‑based one, exploiting the public sign‑in endpoint; no special privilege or authentication is required. The potential impact lies mainly in privileged disclosure of account existence, which can aid further attacks such as password spraying. The risk is elevated in environments where user enumeration can lead to targeted phishing or credential compromise. However, the flaw does not allow direct compromise of system or data integrity.

Generated by OpenCVE AI on June 24, 2026 at 02:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later, which removes the timing discrepancy in the sign‑in flow.
  • Configure the authentication endpoint to return a constant, generic response time regardless of whether the email exists, thereby eliminating timing clues.
  • Implement rate limiting or CAPTCHA on the sign‑in endpoint and enforce multi‑factor authentication to reduce the effectiveness of any remaining enumeration attempts.

Generated by OpenCVE AI on June 24, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jr54-jwhj-55gp NocoDB: User Enumeration via Sign-In Timing
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
Title NocoDB: User Enumeration via Sign-In Timing
Weaknesses CWE-208
CWE-307
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:33:27.730Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47380

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses
  • CWE-208

    Observable Timing Discrepancy

  • CWE-307

    Improper Restriction of Excessive Authentication Attempts