NocoDB: User Enumeration via Sign-In Timing

GHSA-jr54-jwhj-55gp · CVE-2026-47380

Published Jun 5, 2026 · Modified Jun 5, 2026

Description

Summary

Sign-in response timing differed between known and unknown email addresses because
the unknown-user branch returned without performing a password hash comparison.

Details

The unknown-user branch in auth.service.ts now performs a bcrypt.compare against
a fixed dummy hash so the response time of failed sign-ins is approximately
independent of whether the address exists. Rate limiting on the sign-in endpoint is
implemented in the Enterprise build only and is not affected by this advisory.

Impact

A network-positioned attacker could enumerate registered email addresses by timing
sign-in responses. Exploitation requires only the ability to send unauthenticated
sign-in requests.

Credit

This issue was reported by @AndyAnh174.

References

WEB https://github.com/nocodb/nocodb/security/advisories/GHSA-jr54-jwhj-55gp
PACKAGE https://github.com/nocodb/nocodb
WEB https://github.com/nocodb/nocodb/releases/tag/2026.04.1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes