GHSA-9WGH-M22W-9XJ8 NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

Summary The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. Details...

Access Control Bypass

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Access Control Bypass via the publicMmList, publicHmList, relDataList, and nested endpoints when the show flag for a column is not properly checked. An attacker can access hidden linked records by supplying a valid...

NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

Summary The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. Details...

PT-2026-46992

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description Public shared-view relation endpoints fail to verify if a caller-supplied column ID is visible in the shared view. This allows anyone with a share UUID to read links from any LTAR...