CVE-2026-47378
NocoDB: Hidden Column Exposure in Public Shared View Endpoints
描述
### Summary Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. ### Details A new `sanitizeListArgsForPublicView` helper now strips request keys that should never be caller-controlled (e.g. `getHiddenColumn`, `nested`), parses `where` clauses against a restricted alias map that only contains visible columns, and recursively removes filter/sort entries whose `fk_column_id` is not in the visible set. `validateGroupByColumnNames` and `validateGroupColumnId` reject groupBy requests whose `column_name` (CSV-style) or `groupColumnId` is not in the visible or group-by column set. `relDataList` now checks `column.fk_model_id === currentModel.id` before resolving the linked table, matching the pre-existing check on `publicMmList` and `publicHmList`. ### Impact Anyone with a shared-view UUID could enumerate hidden-column values directly (via groupBy), confirm hidden-column values by observing row counts (via filter), or read records from unrelated tables in the same base (via the related-data list). No authentication was required. ### Credit This issue was reported by [@0xBassia](https://github.com/0xBassia). It was independently reported by [@b-hermes](https://github.com/b-hermes).
如何修補 CVE-2026-47378
要修補 CVE-2026-47378,請將受影響套件升級到下列已修補版本。
- —升級至 2026.04.1 或更新版本
CVE-2026-47378 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-47378 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 2026.04.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |