CVE-2026-28361

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28361

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28361.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28361

Aliases

GHSA-p9x3-w98f-7j3q

Published

2026-03-02T16:17:50.678Z

Modified

2026-03-03T02:57:14.907112Z

Severity

4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

NocoDB: Missing Ownership Validation in MCP Token Operations

Details

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in version 0.301.3.

Database specific

{
    "cwe_ids": [
        "CWE-639"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28361.json"
}

References

Affected packages

Git / github.com/nocodb/nocodb

Affected ranges

Type

GIT

Repo

https://github.com/nocodb/nocodb

Events

Introduced

Fixed

391834484b11c429e4ff5677538b3b2f16ca510d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.301.3"
        }
    ]
}

Affected versions

0.*

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.100.0

0.100.1

0.100.2

0.101.0

0.101.0-beta.0

0.101.2

0.104.1

0.104.2

0.104.3

0.105.0

0.105.1

0.105.2

0.105.3

0.106.0

0.106.0-beta.0

0.106.0-beta.1

0.106.1

0.107.0

0.107.0-beta.0

0.107.0-beta.1

0.107.1

0.107.2

0.107.3

0.107.4

0.107.5

0.108.0

0.108.0-beta.0

0.108.1

0.109.0

0.109.1

0.109.2

0.109.3

0.109.4

0.109.5

0.109.6

0.109.7

0.11.0

0.11.1

0.11.10

0.11.11

0.11.12

0.11.14

0.11.15

0.11.16

0.11.17

0.11.18

0.11.19

0.11.20

0.11.21

0.11.22

0.11.23

0.11.24

0.11.25

0.11.26

0.11.28

0.11.29

0.11.3

0.11.30

0.11.31

0.11.32

0.11.33

0.11.34

0.11.36

0.11.39

0.11.4

0.11.40

0.11.41

0.11.42

0.11.43

0.11.44

0.11.45

0.11.46

0.11.5

0.11.6

0.11.7

0.11.9

0.111.0

0.111.1

0.111.2

0.111.3

0.111.4

0.200.0

0.202.0

0.202.10

0.202.4

0.202.5

0.202.6

0.202.7

0.202.8

0.202.9

0.203.0

0.203.1

0.203.2

0.204.0

0.204.1

0.204.2

0.204.3

0.204.4

0.204.5

0.204.6

0.204.7

0.204.8

0.204.9

0.205.0

0.205.1

0.207.0

0.207.1

0.207.2

0.207.3

0.250.0

0.250.1

0.250.2

0.251.0

0.251.1

0.251.2

0.251.3

0.252.0

0.253.0

0.255.0

0.255.1

0.255.2

0.256.0

0.257.0

0.257.2

0.258.0

0.258.1

0.258.10

0.258.11

0.258.2

0.258.3

0.260.0

0.260.1

0.260.2

0.260.3

0.260.4

0.260.5

0.260.6

0.260.7

0.261.0

0.262.0

0.262.1

0.262.2

0.262.3

0.262.4

0.262.5

0.263.0

0.263.1

0.263.2

0.263.3

0.263.4

0.263.6

0.263.7

0.263.8

0.264.0

0.264.1

0.264.2

0.264.3

0.264.4

0.264.6

0.264.7

0.264.8

0.264.9

0.265.0

0.265.1

0.300.0

0.301.0

0.301.1

0.301.2

0.4.5

0.4.8

0.4.9

0.80.0

0.81.0

0.81.1

0.82.0

0.83.0

0.83.1

0.83.2

0.83.3

0.83.4

0.83.5

0.83.6

0.83.8

0.84.1

0.84.10

0.84.12

0.84.13

0.84.14

0.84.15

0.84.16

0.84.2

0.84.3

0.84.6

0.84.7

0.84.8

0.84.9

0.9

0.90.0

0.90.1

0.90.10

0.90.11

0.90.2

0.90.3

0.90.4

0.90.5

0.90.7

0.90.8

0.90.9

0.91.0

0.91.1

0.91.10

0.91.6

0.91.7

0.91.8

0.91.9

0.92.0

0.92.1

0.92.2

0.92.3

0.92.4

0.96.0

0.96.1

0.96.2

0.96.4

0.97.0

0.98.1

0.98.2

0.98.3

0.98.4

0.99.0

0.99.1

0.99.2

v0.*

v0.10.0

v0.4.2

v0.4.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28361.json"