logo

Database

Improper authorization control for web services In nocodb

Description

NocoDB Missing Ownership Validation in MCP Token Operations

Summary

The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known.

Details

McpTokenService.get(), regenerateToken(), and delete() did not filter by fk_user_id. The analogous ApiTokensService correctly enforced ownership.

Impact

Limited — requires Creator role and knowledge of target token ID. Primary risk is denial of service (invalidating tokens) and scoped token disclosure.

Credit

This issue was reported by @bugbunny-research (bugbunny.ai).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-283612. NVD-2026-283613. OSV-2026-283614. GHSA-p9x3-w98f-7j3q5. GCVE-2026-28361

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q2. https://github.com/nocodb/nocodb/releases/tag/0.301.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.