GHSA-387m-j3p9-3php

Suggest an improvement
Source
https://github.com/advisories/GHSA-387m-j3p9-3php
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-387m-j3p9-3php/GHSA-387m-j3p9-3php.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-387m-j3p9-3php
Aliases
Published
2026-03-02T19:42:07Z
Modified
2026-03-04T15:10:19.371049Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
Details

Summary

The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.

Details

POST /api/v2/auth/password/forgot returned a success message for registered emails but 'Your email has not been registered.' for unknown emails. The fix returns a uniform response regardless of whether the email exists.

Impact

An unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.

Credit

This issue was reported by @Tulgaaaaaaaa.

Database specific 
{
    "github_reviewed_at": "2026-03-02T19:42:07Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-204"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-03-02T17:16:33Z"
}
References

Affected packages

npm / nocodb

Package

Name
nocodb
View open source insights on deps.dev
Purl
pkg:npm/nocodb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.301.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-387m-j3p9-3php/GHSA-387m-j3p9-3php.json"
last_known_affected_version_range 
"<= 0.301.2"