NocoDB allows a user who is a member of one workspace to trigger a testConnection operation on an integration belonging to another workspace. The problem stems from a permission check that is performed against the base (the workspace) of the integration, but that check ignores the caller’s workspace context. As a result, the integration is fetched in a bypassed scope and the caller’s permission matches any base in any workspace. This flaw enables the attacker to exercise other workspaces’ integrations without authorization, potentially exposing connection details, testing credentials against external services, or otherwise abusing integration capabilities. The vulnerability is a classic instance of the CWE‑290 weakness, which involves unauthorized access due to improper permission validation.

The issue affects the NocoDB product supplied by the vendor nocodb:nocodb. Versions earlier than 2026.05.1 are vulnerable; the patch was released in the 2026.05.1 release. No other products or variants are listed as affected.

The CVSS score of 6.9 indicates moderate severity, and the lack of a KEV listing suggests no widely known exploits yet. The EPSS score is not available, but the flaw can be exploited by any authenticated user with access to one workspace to reach functionality in another, a purely internal attack vector. An attacker would simply need to call the testConnection API endpoint with the target integration ID, a task that can be performed through existing authenticated API calls or web UI. The impact is localized to the application’s integration domain, but it could expose sensitive connection data or allow further unintended operations depending on the integration type.