logo

Database

Lack of protection against brute force attacks In nocodb

Description

NocoDB: User Enumeration via Sign-In Timing

Summary

Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison.

Details

The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response time of failed sign-ins is approximately independent of whether the address exists. Rate limiting on the sign-in endpoint is implemented in the Enterprise build only and is not affected by this advisory.

Impact

A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests.

Credit

This issue was reported by @AndyAnh174.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-473802. NVD-2026-473803. OSV-2026-473804. GHSA-jr54-jwhj-55gp5. GCVE-2026-47380

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-jr54-jwhj-55gp2. https://github.com/nocodb/nocodb/releases/tag/2026.04.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.