CVE-2026-47378 nocodb CVE debrief

Who should care

Users of NocoDB, especially those who use public shared-view endpoints, should be aware of this vulnerability. If you are using a version prior to 2026.04.1, you should update immediately to prevent potential exposure of sensitive data. Additionally, administrators and security teams responsible for NocoDB instances should prioritize updating to the latest version.

Technical summary

The vulnerability in NocoDB arises from the public shared-view endpoints' exposure of hidden column values. This occurs through three main paths: 1) The groupBy function returns raw values for any column specified in the request, 2) Filter and sort arrays can operate on hidden columns, allowing for boolean-blind extraction, and 3) The related-data list accepts arbitrary link-column IDs from other tables within the same base. These issues were addressed and fixed in version 2026.04.1 of NocoDB. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity.

Defensive priority

Defenders should prioritize updating NocoDB to version 2026.04.1 or later. In the meantime, restrict access to public shared-view endpoints and closely monitor for any suspicious activity.

Recommended defensive actions

• Update NocoDB to version 2026.04.1 or later.
• Restrict access to public shared-view endpoints.
• Closely monitor for any suspicious activity related to shared-view endpoints.
• Review and adjust permissions for view owners to ensure proper data access controls.
• Consider implementing additional security measures, such as data encryption and access logging.

Evidence notes

The CVE-2026-47378 vulnerability was reported and addressed by the NocoDB maintainers. The issue was fixed in version 2026.04.1. The vulnerability allowed for the exposure of hidden column values through public shared-view endpoints. The CVSS score for this vulnerability is 6.9, indicating a medium severity level.

Official resources