VYPR
← All advisories
Medium severity5.8GHSA Advisory· Published May 21, 2026· Updated May 21, 2026

NocoDB: Shared-base link access can invite arbitrary users as persistent base members

CVE-2026-46552

Description

Summary

Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link.

Details

Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers.

The end-to-end chain:

  • GET /api/v2/meta/bases/:baseId/users returned the member list to shared-base callers (@Acl('baseUserList')).
  • POST /api/v2/meta/bases/:baseId/users accepted an invite from shared-base callers (@Acl('userInvite')); base-users.service.ts inserted a real nc_users_v2 row with invite_token and a nc_base_users_v2 row for the target base, with invited_by = null.
  • The invited account redeemed the invite through the normal signup path (users.service.ts), gaining a persistent JWT scoped to the base.
  • Revoking the shared link did not affect the redeemed account.

Impact

  • Confidentiality: shared-base link exposes member email addresses.
  • Integrity: shared-base link can mutate base ACL state by creating new members.
  • Persistence: link-based access converts into durable authenticated access that survives revocation of the share.

Credit

This issue was reported by @0xmrma.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Shared-base links in NocoDB incorrectly grant full viewer privileges, allowing attackers to enumerate members, invite arbitrary accounts, and persist access beyond link revocation.

Vulnerability

Overview

CVE-2026-46552 is a privilege escalation vulnerability in NocoDB affecting shared-base sessions. The core issue is that in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, shared-base sessions were assigned the ProjectRoles.VIEWER role. The ACL utility in packages/nocodb/src/utils/acl.ts then granted the permissions baseUserList and userInvite to that role, without distinguishing between authenticated viewers and anonymous shared-base sessions [1][2].

Attack

Vector

An attacker in possession of a valid shared-base UUID (xc-shared-base-id) can first call GET /api/v2/meta/bases/:baseId/users to enumerate all existing base member email addresses. Using those or any target email, they can then call POST /api/v2/meta/bases/:baseId/users to invite the address as a real base member. The back-end service inserts a new nc_users_v2 row with an invite_token and creates a corresponding nc_base_users_v2 row [1][2]. No additional authentication is required beyond the shared-link identifier.

Impact

The invited user receives an invite token that can be redeemed through the standard NocoDB signup flow, granting a persistent JWT-based authenticated session scoped to the base. Crucially, this access remains valid even after the owner revokes or deletes the original shared link. The vulnerability thus enables unauthorized disclosure of member email addresses, unauthorized addition of base members, and persistent access that bypasses link-level revocation controls [1][2].

Mitigation

According to the advisory, the fix involves properly distinguishing shared-base sessions from authenticated viewer sessions in the ACL middleware and removing the unintended permissions from the shared-base role [1][2].

References
  1. CVE-2026-46552 - GitHub Advisory Database
  2. Member Invite Reachable via Shared-Base Link

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Nocodb/NocodbGHSA2 versions
    <= 0.301.3+ 1 more
    • (no CPE)range: <= 0.301.3
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.