UNKNOWN npm
NocoDB has Plaintext Storage of Shared View Passwords
GHSA-mpp2-x7wv-38hv · CVE-2026-28360
Published · Modified
Description
Summary
Shared view passwords were stored in plaintext in the database and compared using direct string equality.
Details
The password column in nc_views stored unhashed passwords. Verification used !== comparison across public-datas.service.ts, public-metas.service.ts, and calendar-datas.service.ts.
Impact
If the database is compromised, shared view passwords are immediately readable. Risk is limited to password reuse scenarios.
Credit
This issue was reported by @Tulgaaaaaaaa.
Ready to move
Start Securing
Free, no credit card | First findings in minutes