GHSA-mpp2-x7wv-38hv

Suggest an improvement
Source
https://github.com/advisories/GHSA-mpp2-x7wv-38hv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mpp2-x7wv-38hv/GHSA-mpp2-x7wv-38hv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mpp2-x7wv-38hv
Aliases
Published
2026-03-02T19:52:57Z
Modified
2026-03-04T15:16:05.415356Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
NocoDB has Plaintext Storage of Shared View Passwords
Details

Summary

Shared view passwords were stored in plaintext in the database and compared using direct string equality.

Details

The password column in nc_views stored unhashed passwords. Verification used !== comparison across public-datas.service.ts, public-metas.service.ts, and calendar-datas.service.ts.

Impact

If the database is compromised, shared view passwords are immediately readable. Risk is limited to password reuse scenarios.

Credit

This issue was reported by @Tulgaaaaaaaa.

Database specific 
{
    "github_reviewed_at": "2026-03-02T19:52:57Z",
    "github_reviewed": true,
    "severity": "LOW",
    "nvd_published_at": "2026-03-02T17:16:34Z",
    "cwe_ids": [
        "CWE-256"
    ]
}
References

Affected packages

npm / nocodb

Package

Name
nocodb
View open source insights on deps.dev
Purl
pkg:npm/nocodb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.301.3

Database specific

last_known_affected_version_range 
"<= 0.301.2"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mpp2-x7wv-38hv/GHSA-mpp2-x7wv-38hv.json"