CVE-2026-47380

Description

### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. ### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a fixed dummy hash so the response time of failed sign-ins is approximately independent of whether the address exists. Rate limiting on the sign-in endpoint is implemented in the Enterprise build only and is not affected by this advisory. ### Impact A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests. ### Credit This issue was reported by [@AndyAnh174](https://github.com/AndyAnh174).

How to fix CVE-2026-47380

To remediate CVE-2026-47380, upgrade the affected package to a fixed version below.

• —upgrade to 2026.04.1 or later

Is CVE-2026-47380 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47380.

Affected packages (1)

• from 0, < 2026.04.1

References (3)

• PATCHgithub.com/nocodb/nocodb
• WEBgithub.com/nocodb/nocodb/releases/tag/2026.04.1
• WEBgithub.com/nocodb/nocodb/security/advisories/GHSA-jr54-jwhj-55gp