CVE-2026-46552 in NocoDB
Summary
by MITRE • 06/24/2026
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/24/2026
This vulnerability resides within NocoDB's access control mechanisms, specifically targeting the handling of shared base sessions and their privilege escalation capabilities. The flaw stems from insufficient distinction between authenticated users and those accessing through shared links, creating a critical authorization bypass that allows attackers to enumerate legitimate base members and invite arbitrary email addresses into the system. The vulnerability manifests through the xc-shared-base-id header which is used to identify shared base sessions, but the system fails to properly validate or restrict access based on this identifier's context.
The technical implementation of this flaw involves multiple components working in concert to create the security gap. In packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, shared-base sessions are explicitly mapped to ProjectRoles.VIEWER, which according to packages/nocodb/src/utils/acl.ts grants these users baseUserList and userInvite capabilities that should typically be restricted to base owners or administrators. This mapping creates an unexpected privilege escalation path where a shared session can perform operations normally restricted to authenticated members.
The frontend implementation in packages/nc-gui/composables/useApi/interceptors.ts compounds this issue by deliberately stripping authentication headers in favor of the shared-base header, effectively allowing the system to operate under the assumption that shared access should be treated as authenticated access. However, the ACL middleware layer fails to properly differentiate between genuine authenticated viewers and those accessing through shared links, creating a mismatch between frontend behavior and backend authorization logic.
This vulnerability directly maps to CWE-284 (Improper Access Control) and aligns with ATT&CK technique T1078 (Valid Accounts) as attackers can leverage the invitation mechanism to establish persistent access. The impact extends beyond simple enumeration capabilities to include potential data exposure and privilege escalation, as the invited user maintains authenticated access even after the original owner revokes the shared link. This creates a persistent threat vector where unauthorized individuals can gain legitimate system access through social engineering or automated enumeration attacks.
The mitigation strategy requires implementing proper session type differentiation within the ACL middleware to ensure that shared-base sessions cannot perform privileged operations like inviting new users or enumerating existing members. The fix in version 2026.04.1 addresses this by strengthening the authorization checks to properly distinguish between authenticated users and those accessing through shared links, ensuring that shared sessions maintain their limited VIEWER privileges without the ability to escalate to member-level capabilities.
Organizations using NocoDB should immediately upgrade to version 2026.04.1 or later to remediate this vulnerability. Additionally, administrators should review existing shared base configurations and revoke any unnecessary shared links while monitoring for unauthorized access attempts. The vulnerability demonstrates the critical importance of maintaining proper separation between different session types and implementing robust access control policies that prevent privilege escalation through legitimate system features.
This issue represents a classic case of insufficient input validation and authorization logic where a system feature designed for convenience inadvertently creates security vulnerabilities. The flaw highlights the need for comprehensive testing of access control mechanisms, particularly in systems that support both authenticated and anonymous access patterns. Security teams should implement monitoring for unusual invitation patterns or enumeration attempts that might indicate exploitation of similar authorization bypass vulnerabilities in other applications.
The vulnerability also underscores the importance of principle of least privilege implementation, where shared sessions should never be granted capabilities that exceed what is necessary for their intended purpose. Proper access control design requires that even authenticated sessions through shared links maintain appropriate restrictions on administrative operations while still allowing legitimate read-only access to data. This balance between usability and security must be carefully maintained in collaborative database applications.
This vulnerability represents a significant risk to organizations relying on NocoDB's shared base functionality, as it allows attackers to gain persistent access to databases through seemingly innocuous invitation mechanisms. The fix ensures proper session type validation while maintaining the intended usability of shared bases for legitimate collaboration purposes without compromising security controls. Regular security assessments and penetration testing should be conducted to identify similar authorization bypass opportunities in other collaborative systems and applications that handle shared access patterns.