CVE-2026-46552

MEDIUM5.8

NocoDB: Shared-base link access can invite arbitrary users as persistent base members

Published: 5/21/2026Modified: 5/21/2026
Also known as:GHSA-chqv-vrj7-qffp

Description

### Summary Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (`xc-shared-base-id`), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. ### Details Shared-base sessions were mapped to `ProjectRoles.VIEWER` in `packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts`, and `packages/nocodb/src/utils/acl.ts` granted `baseUserList` and `userInvite` to that role. The shared frontend (`packages/nc-gui/composables/useApi/interceptors.ts`) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. The end-to-end chain: - `GET /api/v2/meta/bases/:baseId/users` returned the member list to shared-base callers (`@Acl('baseUserList')`). - `POST /api/v2/meta/bases/:baseId/users` accepted an invite from shared-base callers (`@Acl('userInvite')`); `base-users.service.ts` inserted a real `nc_users_v2` row with `invite_token` and a `nc_base_users_v2` row for the target base, with `invited_by = null`. - The invited account redeemed the invite through the normal signup path (`users.service.ts`), gaining a persistent JWT scoped to the base. - Revoking the shared link did not affect the redeemed account. ### Impact - Confidentiality: shared-base link exposes member email addresses. - Integrity: shared-base link can mutate base ACL state by creating new members. - Persistence: link-based access converts into durable authenticated access that survives revocation of the share. ### Credit This issue was reported by [@0xmrma](https://github.com/0xmrma).

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM5.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

References (2)