CVE-2026-28361

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in version 0.301.3.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/nocodb/nocodb/releases/tag/0.301.3	Product Release Notes
https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*

History

03 Mar 2026, 19:00

Type	Values Removed	Values Added
References	~~() https://github.com/nocodb/nocodb/releases/tag/0.301.3 -~~	() https://github.com/nocodb/nocodb/releases/tag/0.301.3 - Product, Release Notes
References	~~() https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q -~~	() https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.3
CPE		cpe:2.3:a:nocodb:nocodb::::::::
First Time		Nocodb nocodb Nocodb

02 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-02 17:16

Updated : 2026-03-03 19:00

NVD link : CVE-2026-28361

Mitre link : CVE-2026-28361

CVE.ORG link : CVE-2026-28361

JSON object : View

Products Affected

nocodb

nocodb

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-28361", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-02T17:16:34.467", "references": [{"url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in version 0.301.3."}], "lastModified": "2026-03-03T19:00:44.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AE4D8D2-EBCC-4E55-8FC1-3353EAB8B008", "versionEndExcluding": "0.301.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}