NocoDB: Missing Ownership Check in MCP Attachment Read_CVE-2026-47388

2.3 / 10

LOW

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. This vulnerability is fixed in 2026.05.1.

Basic Information

ID CVE-2026-47388

Source GitHub_M

Published Jun 23, 2026 at 20:09

Affected Product

Vendor nocodb

Product nocodb

Version < 2026.05.1

Affected Versions nocodb nocodb < 2026.05.1

CWE Classification

CWE-639

References

github.com /nocodb/nocodb/security/advisories/GHSA-xxpj-q764-9r6q

{
    "lastseen": "",
    "description": "NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. This vulnerability is fixed in 2026.05.1.",
    "published": "2026-06-23T20:09:30.471Z",
    "modified": "2026-06-23T20:09:30.471Z",
    "type": "cve",
    "title": "NocoDB: Missing Ownership Check in MCP Attachment Read",
    "source": "GitHub_M",
    "references": "https://github.com/nocodb/nocodb/security/advisories/GHSA-xxpj-q764-9r6q",
    "id": "CVE-2026-47388",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "nocodb nocodb < 2026.05.1",
    "sourceHref": "",
    "cvss": {
        "score": 2.3,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nocodb",
    "version": "< 2026.05.1",
    "vendor": "nocodb",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}