NocoDB: Cross-Workspace Integration Use in Connection Test

GHSA-96fh-m4r8-6v9v · CVE-2026-47381

Published Jun 5, 2026 · Modified Jun 5, 2026

Description

Summary

A user in one workspace could exercise another workspace's integration through the
testConnection endpoint by supplying its ID, because the integration was fetched in
a bypass scope and the caller's permission check matched any base in any workspace.

Details

The connection-test endpoint fetched the integration in RootScopes.BYPASS scope and
checked only that the integration was non-private and that the caller held an
owner/creator role on any base in any workspace. The permission lookup is now scoped
to the integration's workspace by joining on fk_workspace_id, and the controller
rejects requests where the integration's workspace differs from the request's workspace.

Impact

Cross-tenant access to integration configuration through the connection-test endpoint,
including the ability to drive the resolved database with the other workspace's
credentials. Authentication with creator-or-owner role on any base in any workspace
was sufficient.

Credit

This issue was reported by @DongyangLyu.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes