Description
Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.
Published: 2026-06-26
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Teable’s v2 REST API controller does not expose the necessary @Permissions metadata on its ORPC endpoints, creating a flaw that allows any authenticated user to bypass all authorization controls. Attackers can read table schemas, create tables, and alter or delete records across any base or table through standard endpoints such as GET /api/v2/tables/get and POST /api/v2/tables/updateRecords. This breach exposes sensitive data, permits integrity violations, and can lead to denial of service if critical tables are deleted. The vulnerability aligns with CWE‑862: Missing Authorization.

Affected Systems

The flaw appears in the Teable product offered by teableio under the vendor name Teable. All users of the v2 REST API are impacted; no specific product version range is listed in the available data, so the fix applies to all exposed API endpoints across any deployed instance.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, and the EPSS score is listed as unavailable, implying that while the exploit is feasible, current data does not suggest widespread real‑world usage. Because the flaw requires only authentication, any legitimate user credential can be abused. The vulnerability is not listed in the CISA KEV catalog, but the combination of high impact and broad accessibility makes it a critical risk for organizations relying on Teable for data storage and manipulation.

Generated by OpenCVE AI on June 26, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Teable release (e.g., the release dated June 15, 2026) that includes the missing @Permissions metadata on ORPC endpoints.
  • Reconfigure the API to enforce role‑based access control, granting the minimal privileges required for each user role.
  • Audit current API users for privileged activity and rotate any credentials that may have been used during the breach period.
  • Continuously monitor API logs for unexpected table creation, schema modifications, or deletion of records to detect misuse early.

Generated by OpenCVE AI on June 26, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Teableio
Teableio teable
Vendors & Products Teableio
Teableio teable

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.
Title Teable - Missing Authorization in v2 REST API
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Teableio Teable
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-26T14:38:32.177Z

Reserved: 2026-06-23T01:22:22.571Z

Link: CVE-2026-56773

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses