2 matches found
GHSA-P9X3-W98F-7J3Q NocoDB Missing Ownership Validation in MCP Token Operations
Summary The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. Details McpTokenService.get, regenerateToken, and delete did not filter by fkuserid. The analogous...
Authorization Bypass Through User-Controlled Key
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the McpTokenService.get, regenerateToken, and delete functions due to missing ownership validation for MCP tokens. An attacker with Creator role privileges can...