GHSA-4w6r-5c2j-qf5f

Suggest an improvement
Source
https://github.com/advisories/GHSA-4w6r-5c2j-qf5f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-4w6r-5c2j-qf5f/GHSA-4w6r-5c2j-qf5f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4w6r-5c2j-qf5f
Aliases
  • CVE-2026-47378
Published
2026-06-05T16:03:11Z
Modified
2026-06-05T16:15:06.944335643Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
NocoDB: Hidden Column Exposure in Public Shared View Endpoints
Details

Summary

Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base.

Details

A new sanitizeListArgsForPublicView helper now strips request keys that should never be caller-controlled (e.g. getHiddenColumn, nested), parses where clauses against a restricted alias map that only contains visible columns, and recursively removes filter/sort entries whose fk_column_id is not in the visible set. validateGroupByColumnNames and validateGroupColumnId reject groupBy requests whose column_name (CSV-style) or groupColumnId is not in the visible or group-by column set. relDataList now checks column.fk_model_id === currentModel.id before resolving the linked table, matching the pre-existing check on publicMmList and publicHmList.

Impact

Anyone with a shared-view UUID could enumerate hidden-column values directly (via groupBy), confirm hidden-column values by observing row counts (via filter), or read records from unrelated tables in the same base (via the related-data list). No authentication was required.

Credit

This issue was reported by @0xBassia. It was independently reported by @b-hermes.

Database specific
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-639"
    ],
    "github_reviewed_at": "2026-06-05T16:03:11Z",
    "github_reviewed": true
}
References

Affected packages

npm / nocodb

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.04.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-4w6r-5c2j-qf5f/GHSA-4w6r-5c2j-qf5f.json"