CVE-2026-47381
Published:June 05, 2026
Updated:June 06, 2026
Summary A user in one workspace could exercise another workspace's integration through the "testConnection" endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. Details The connection-test endpoint fetched the integration in "RootScopes.BYPASS" scope and checked only that the integration was non-private and that the caller held an owner/creator role on any base in any workspace. The permission lookup is now scoped to the integration's workspace by joining on "fk_workspace_id", and the controller rejects requests where the integration's workspace differs from the request's workspace. Impact Cross-tenant access to integration configuration through the connection-test endpoint, including the ability to drive the resolved database with the other workspace's credentials. Authentication with creator-or-owner role on any base in any workspace was sufficient. Credit This issue was reported by "@DongyangLyu" (https://github.com/DongyangLyu).
Affected Packages
https://github.com/nocodb/nocodb.git (GITHUB):
Affected version(s) >=crea <2026.05.1Fix Suggestion:
Update to version 2026.05.1nocodb (NPM):
Affected version(s) >=0.0.1 <2026.05.1Fix Suggestion:
Update to version 2026.05.1Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Authentication Bypass by Spoofing