logo

Database

Non-encrypted confidential information In nocodb

Description

NocoDB has Plaintext Storage of Shared View Passwords

Summary

Shared view passwords were stored in plaintext in the database and compared using direct string equality.

Details

The password column in nc_views stored unhashed passwords. Verification used !== comparison across public-datas.service.ts, public-metas.service.ts, and calendar-datas.service.ts.

Impact

If the database is compromised, shared view passwords are immediately readable. Risk is limited to password reuse scenarios.

Credit

This issue was reported by @Tulgaaaaaaaa.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-283602. NVD-2026-283603. OSV-2026-283604. GHSA-mpp2-x7wv-38hv5. GCVE-2026-28360

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-mpp2-x7wv-38hv2. https://github.com/nocodb/nocodb/releases/tag/0.301.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.