logo

Database

User enumeration In nocodb

Description

NocoDB Vulnerable to User Enumeration via Password Reset Endpoint

Summary

The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.

Details

POST /api/v2/auth/password/forgot returned a success message for registered emails but 'Your email has not been registered.' for unknown emails. The fix returns a uniform response regardless of whether the email exists.

Impact

An unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.

Credit

This issue was reported by @Tulgaaaaaaaa.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-283582. NVD-2026-283583. OSV-2026-283584. GHSA-387m-j3p9-3php5. GCVE-2026-28358

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-387m-j3p9-3php2. https://github.com/nocodb/nocodb/releases/tag/0.301.33. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-28358.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.