VYPR
← All advisories
Low severity2.3NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

NocoDB: Missing Ownership Check in MCP Attachment Read

CVE-2026-47388

Description

Summary

A low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership.

Details

The MCP readAttachment tool accepts caller-supplied path/url values and streams the file via the storage adapter. The handler now looks up the path in nc_file_references and requires a non-deleted row whose base_id matches the caller's MCP context before streaming; otherwise it returns Attachment is not accessible from this MCP context. The lookup tolerates both download/uploads/... and uploads/... styles.

Impact

Arbitrary read against shared storage scoped to attachments the caller's MCP context should not see. Exploitation requires an MCP token and a known attachment path.

Credit

This issue was reported by @helwor-01.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The MCP `readAttachment` tool did not verify file ownership before streaming."

Attack vector

An attacker with a low-privilege MCP token and knowledge of an attachment path can exploit this vulnerability. The MCP `readAttachment` tool accepts a caller-supplied path or URL and streams the file. Without proper ownership verification, the tool can be tricked into streaming any file in shared storage, including attachments belonging to other bases and workspaces. This allows for unauthorized access to sensitive data [ref_id=1].

Affected code

The vulnerability lies within the MCP `readAttachment` tool, which handles file streaming based on caller-supplied `path`/`url` values. The fix involves changes to this handler to enforce ownership checks against the `nc_file_references` table before proceeding with the file stream [ref_id=1].

What the fix does

The handler for the MCP `readAttachment` tool was modified to look up the provided path in `nc_file_references`. It now requires that the row found is not deleted and that its `base_id` matches the caller's MCP context. If these conditions are not met, the tool returns an error message, preventing unauthorized file access [ref_id=1].

Preconditions

  • authAttacker must possess a low-privilege MCP token.
  • inputAttacker must have knowledge of a specific attachment path.

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.