Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base.
A new sanitizeListArgsForPublicView helper now strips request keys that should
never be caller-controlled (e.g. getHiddenColumn, nested), parses where
clauses against a restricted alias map that only contains visible columns, and
recursively removes filter/sort entries whose fk_column_id is not in the visible
set. validateGroupByColumnNames and validateGroupColumnId reject groupBy
requests whose column_name (CSV-style) or groupColumnId is not in the visible
or group-by column set. relDataList now checks column.fk_model_id ===
currentModel.id before resolving the linked table, matching the pre-existing
check on publicMmList and publicHmList.
Anyone with a shared-view UUID could enumerate hidden-column values directly (via groupBy), confirm hidden-column values by observing row counts (via filter), or read records from unrelated tables in the same base (via the related-data list). No authentication was required.
This issue was reported by @0xBassia. It was independently reported by @b-hermes.
{
"nvd_published_at": null,
"severity": "MODERATE",
"cwe_ids": [
"CWE-639"
],
"github_reviewed_at": "2026-06-05T16:03:11Z",
"github_reviewed": true
}