CVE-2026-47380

描述

### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. ### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a fixed dummy hash so the response time of failed sign-ins is approximately independent of whether the address exists. Rate limiting on the sign-in endpoint is implemented in the Enterprise build only and is not affected by this advisory. ### Impact A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests. ### Credit This issue was reported by [@AndyAnh174](https://github.com/AndyAnh174).

如何修補 CVE-2026-47380

要修補 CVE-2026-47380,請將受影響套件升級到下列已修補版本。

• —升級至 2026.04.1 或更新版本

CVE-2026-47380 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47380 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• from 0, < 2026.04.1

參考連結(3)

• PATCHgithub.com/nocodb/nocodb
• WEBgithub.com/nocodb/nocodb/releases/tag/2026.04.1
• WEBgithub.com/nocodb/nocodb/security/advisories/GHSA-jr54-jwhj-55gp