CVE-2026-47279 nocodb CVE debrief

Who should care

Security teams and administrators using NocoDB should be aware of this vulnerability and ensure that their instances are updated to version 2026.05.1 or later. This vulnerability could allow unauthorized access to sensitive data in shared views. Users with shared views may need to review and update their shared views to ensure that sensitive columns are not exposed.

Technical summary

The vulnerability in NocoDB's public shared-view relation endpoints allowed an attacker to access hidden columns by providing a caller-supplied column ID without verifying visibility in the shared view. The affected endpoints were publicMmList, publicHmList, and relDataList. These endpoints ensured that the requested column belonged to the view's model but did not check the view-column entry's show flag. This issue was addressed in version 2026.05.1.

Defensive priority

Medium priority should be given to updating NocoDB instances to version 2026.05.1 or later. Security teams should review shared views to ensure that sensitive columns are not exposed.

Recommended defensive actions

• Update NocoDB to version 2026.05.1 or later.
• Review shared views to ensure that sensitive columns are not exposed.
• Monitor for unauthorized access to shared views.
• Verify that column visibility is properly configured in shared views.
• Restrict access to shared views with sensitive data.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. The source item URL provides additional context from the NVD database. The reference to the GitHub security advisory provides further details on the vulnerability and its fix.

Official resources