Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.
References
Configurations
No configuration.
History
26 Jun 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-26 15:16
Updated : 2026-06-27 04:17
NVD link : CVE-2026-56773
Mitre link : CVE-2026-56773
CVE.ORG link : CVE-2026-56773
JSON object : View
Products Affected
No product.
CWE
CWE-862
Missing Authorization
