Incorrect Authorization Affecting nocodb package, versions >=0.300.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-NOCODB-16875134
- published26 May 2026
- disclosed21 May 2026
- creditik0z
Introduced: 21 May 2026
NewCVE-2026-46549 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
nocodb is a NocoDB
Affected versions of this package are vulnerable to Incorrect Authorization via the OAuthTokenStrategy in the authentication component. An attacker can access endpoints reserved for other token types or privileged users by presenting an OAuth token to routes that accept it without route-level restriction. This allows unauthorized use of organization and metadata APIs, exposing administrative data and enabling privileged actions such as listing or modifying users, tokens, licenses, caches, and sync state.
Notes
- OAuth tokens were only blocked on endpoints that explicitly set
blockOAuthTokenAccess; routes without that ACL metadata still accepted them, including org-level handlers that rely on the caller’s underlying user roles rather than a base-scoped context. - The scope bypass is most relevant for third-party or narrowly scoped OAuth integrations: the token’s
oauth_scopeandoauth_granted_resourcescould be present on the request user, but the ACL layer did not consult them before authorizing access.