GHSA-jr54-jwhj-55gp

Suggest an improvement
Source
https://github.com/advisories/GHSA-jr54-jwhj-55gp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jr54-jwhj-55gp/GHSA-jr54-jwhj-55gp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jr54-jwhj-55gp
Aliases
  • CVE-2026-47380
Published
2026-06-05T16:03:55Z
Modified
2026-06-05T16:15:06.932931481Z
Summary
NocoDB: User Enumeration via Sign-In Timing
Details

Summary

Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison.

Details

The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response time of failed sign-ins is approximately independent of whether the address exists. Rate limiting on the sign-in endpoint is implemented in the Enterprise build only and is not affected by this advisory.

Impact

A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests.

Credit

This issue was reported by @AndyAnh174.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-208",
        "CWE-307"
    ],
    "github_reviewed": true,
    "severity": "LOW",
    "github_reviewed_at": "2026-06-05T16:03:55Z"
}
References

Affected packages

npm / nocodb

Package

Name
nocodb
View open source insights on deps.dev
Purl
pkg:npm/nocodb

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.04.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jr54-jwhj-55gp/GHSA-jr54-jwhj-55gp.json"