Authentication Flaw in NocoDB Database Software
CVE-2026-46552

5.8MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-46552?

NocoDB, a flexible software platform for managing databases as spreadsheets, experienced a significant access control issue prior to version 2026.04.1. The vulnerability allowed unauthorized individuals to gain access to roles and capabilities typically reserved for authenticated users through shared-base sessions. An attacker could use a shared-base UUID to enumerate base members and invite any email address, granting that user full member privileges. This compromise could lead to unauthorized access, as the invited user could maintain access even after the original owner rescinded the shared link. The root cause stemmed from a failure in distinguishing between shared sessions and genuine users, enabling potential exploitation of user roles and permissions.

Affected Version(s)

nocodb < 2026.04.1

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46552 Data

JSON

Nocodb

What is CVE-2026-46552?

Affected Version(s)

References

CVSS V3.1

Timeline