Improper authorization control for web services In nocodb
Description
NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints
Summary
The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden.
Details
publicMmList, publicHmList, and relDataList already ensured that the
requested column belonged to the view's model, but did not check the
view-column entry's show flag. All three handlers now also fetch the
shared view's column entries and reject the request unless the matching
entry has show=true. The four public relation routes covered by the fix
are:
GET /api/v2/public/shared-view/:uuid/rows/:rowId/mm/:columnId (many-to-many)
GET /api/v2/public/shared-view/:uuid/rows/:rowId/hm/:columnId (has-many)
GET /api/v2/public/shared-view/:uuid/rows/:rowId/{ln,om}/:columnId
(links / one-to-many — both share the many-to-many handler)
GET /api/v2/public/shared-view/:uuid/nested/:columnId (form/gallery
picker)
Impact
Anyone holding a share UUID could enumerate the full set of linked records
for any hidden LTAR column on the view's table by calling the relation
endpoint directly, even when the same column was correctly omitted from the
public /rows response.
Credit
This issue was reported by @leduckhuong.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 2026.05.1 |
Aliases
References