Data Exposure Vulnerability in NocoDB by NocoDB
CVE-2026-47378

6.9MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-47378?

NocoDB, a platform designed for creating database applications with a spreadsheet-like interface, experienced a vulnerability where public shared-view endpoints inadvertently disclosed hidden column values. This occurred through multiple exploit paths: the groupBy function returned raw values for specified columns, while filter and sort operations incorrectly handled hidden columns, facilitating unintentional data extraction. Additionally, the related-data list feature allowed arbitrary link-column IDs from other tables to be accepted, amplifying the risk of exposure. This vulnerability was addressed in version 2026.04.1.

Affected Version(s)

nocodb < 2026.04.1

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47378 Data

JSON

Nocodb

What is CVE-2026-47378?

Affected Version(s)

References

CVSS V4

Timeline