Impact
A timing discrepancy in NocoDB’s sign‑in handler allows an attacker to determine whether a given email address is registered on the platform. Prior to 2026.04.1, the unknown‑user branch returned without performing a password hash comparison, creating a measurable difference in response time. This flaw enables an attacker to enumerate valid user accounts and potentially target subsequent credential‑guessing or social‑engineering attacks, but does not directly grant account access or execute code. The weakness is categorized as CWE‑208 and CWE‑307.
Affected Systems
The vulnerability affects installations of NocoDB released before 2026.04.1. Users running any older version of the software are exposed until they upgrade to 2026.04.1 or later, which removes the timing difference.
Risk and Exploitability
With a CVSS score of 6.3, this vulnerability is considered moderate. Attackers can abuse the public sign‑in endpoint over the network without requiring authentication or special permissions. By measuring response times, they can determine if an email address is known to the system, enabling account enumeration. This information can be used to focus password‑spraying, phishing, or other targeted attacks. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, indicating limited evidence of widespread exploitation, though the exposure remains valuable for threat actors.
OpenCVE Enrichment
Github GHSA