NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation

Root

Cause

The vulnerability stems from a disconnect between NocoDB's OAuth token strategy and its ACL middleware. The OAuth token strategy in packages/nocodb/src/strategies/oauth-token.strategy.ts correctly populates oauth_scope and oauth_granted_resources on the user object. However, the ACL middleware in extract-ids.middleware.ts never reads these properties; it only checks is_api_token via blockApiTokenAccess. As a result, an OAuth token issued with a restricted scope (e.g., MCP-only) inherits the full permissions of the underlying user across all routes, violating the token's intended restrictions [1][2].

Attack

Scenario

To exploit this, an attacker would need to obtain a valid OAuth token that was issued with a narrow scope or limited to a specific base. Because the base_id restriction logic short-circuits when req.context.base_id is unset (as on org-level endpoints), the token can be used to access org-level routes without any scope enforcement. The attack requires no additional authentication beyond possession of the OAuth token, and the attacker's access is effectively that of the underlying user account [1].

Impact

Successful exploitation leads to scope escalation: tokens intended for minimal access gain full user roles. Additionally, resource boundary restrictions are bypassed on org-level routes, breaking the least-privilege expectation for third-party OAuth integrations. This allows an attacker to perform actions across the entire user's workspace that were never authorized by the token's scope [1][2].

Mitigation

The fix introduces a path-prefix allowlist (['/mcp', '/api/v3/', '/auth/user/me']) enforced inside the OAuth strategy and a blockOAuthTokenAccess ACL flag for endpoints that should never accept OAuth tokens. No workaround is necessary; applying the patch fully resolves the issue. The vulnerability was reported by @ik0z and is documented in the GitHub advisory GHSA-m5qg-rvjq-727p [1].