logo

Database

Spoofing In nocodb

Description

NocoDB: Cross-Workspace Integration Use in Connection Test

Summary

A user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace.

Details

The connection-test endpoint fetched the integration in RootScopes.BYPASS scope and checked only that the integration was non-private and that the caller held an owner/creator role on any base in any workspace. The permission lookup is now scoped to the integration's workspace by joining on fk_workspace_id, and the controller rejects requests where the integration's workspace differs from the request's workspace.

Impact

Cross-tenant access to integration configuration through the connection-test endpoint, including the ability to drive the resolved database with the other workspace's credentials. Authentication with creator-or-owner role on any base in any workspace was sufficient.

Credit

This issue was reported by @DongyangLyu.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-473812. NVD-2026-473813. OSV-2026-473814. GHSA-96fh-m4r8-6v9v5. GCVE-2026-47381

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-96fh-m4r8-6v9v2. https://github.com/nocodb/nocodb/releases/tag/2026.05.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.