Vulnerabilities ›

CVE-2026-28361

Medium

CWE-639 — Weakness Type

                    Published: Mar 2, 2026                      ·  Modified: Mar 5, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in version 0.301.3.

🤖 AI Executive Summary

NocoDB versions prior to 0.301.3 contain an authorization bypass vulnerability in the MCP token service that allows authenticated users with Creator role to access, regenerate, or delete other users' tokens without proper ownership validation. This privilege escalation vulnerability affects collaborative database environments and could lead to unauthorized access to integrated services. The medium CVSS score (6.3) reflects the requirement for authenticated access, but the impact on multi-user deployments is significant.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 16, 2026 19:56

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using NocoDB for collaborative database management face significant risk, particularly in government agencies (NCA, CITC), financial institutions managing customer data, and healthcare providers using NocoDB for patient record systems. The vulnerability enables insider threats where authorized users can compromise other users' API integrations and external service connections. Organizations in the energy sector (ARAMCO subsidiaries) and telecommunications (STC, Mobily) using NocoDB for operational databases are at elevated risk. The lack of audit trails for token manipulation could violate SAMA CSF and NCA ECC compliance requirements.

🏢 Affected Saudi Sectors

Government (NCA, CITC, Ministry of Health) Banking and Financial Services (SAMA regulated institutions) Healthcare (Ministry of Health, private hospitals) Energy (ARAMCO, Saudi Electricity Company) Telecommunications (STC, Mobily, Zain) Education (Universities using collaborative databases) E-commerce and Retail

🎯 MITRE ATT&CK Techniques

T1078 - Valid Accounts (Creator role abuse) T1548 - Abuse Elevation Control Mechanism (privilege escalation) T1087 - Account Discovery (token enumeration) T1098 - Account Manipulation (token regeneration/deletion) T1555 - Credentials from Password Stores (API token theft) T1199 - Trusted Relationship (insider threat via token access)

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all MCP token creation and usage logs to identify unauthorized token access or regeneration events

2. Identify all users with Creator role in NocoDB instances and review their token management activities

3. Revoke all existing MCP tokens and require users to regenerate them with proper documentation

4. Restrict Creator role permissions to only necessary users



Patching Guidance:

1. Upgrade NocoDB to version 0.301.3 or later immediately

2. If upgrade is not immediately possible, implement compensating controls (see below)

3. Test upgrade in non-production environment first

4. Document all token regeneration activities post-upgrade



Compensating Controls (if patch unavailable):

1. Implement network-level access controls restricting MCP token service endpoints to authorized IP ranges

2. Enable comprehensive audit logging for all token-related API calls

3. Implement API rate limiting on token management endpoints

4. Use API gateway to enforce additional authentication checks on token operations

5. Segregate Creator role users and monitor their activities closely



Detection Rules:

1. Alert on multiple token regeneration requests from single user within short timeframe

2. Monitor for token access patterns inconsistent with user's normal behavior

3. Flag any token deletion followed by immediate recreation

4. Track API calls to /api/v1/db/meta/projects/*/tokens endpoints with unusual frequency

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع سجلات إنشاء واستخدام رموز MCP لتحديد أحداث الوصول غير المصرح به أو إعادة الإنشاء

2. تحديد جميع المستخدمين الذين لديهم دور المنشئ في مثيلات NocoDB ومراجعة أنشطة إدارة الرموز الخاصة بهم

3. إلغاء جميع رموز MCP الموجودة وطلب من المستخدمين إعادة إنشاؤها مع التوثيق المناسب

4. تقييد أذونات دور المنشئ للمستخدمين الضروريين فقط

إرشادات التصحيح:

1. ترقية NocoDB إلى الإصدار 0.301.3 أو أحدث على الفور

2. إذا لم يكن الترقية ممكنة على الفور، قم بتنفيذ الضوابط البديلة

3. اختبر الترقية في بيئة غير الإنتاج أولاً

4. وثق جميع أنشطة إعادة إنشاء الرموز بعد الترقية

الضوابط البديلة:

1. تنفيذ ضوابط الوصول على مستوى الشبكة تقيد نقاط نهاية خدمة رموز MCP بنطاقات IP المصرح بها

2. تفعيل تسجيل التدقيق الشامل لجميع استدعاءات API المتعلقة بالرموز

3. تنفيذ تحديد معدل API على نقاط نهاية إدارة الرموز

4. استخدام بوابة API لفرض فحوصات المصادقة الإضافية على عمليات الرموز

5. فصل مستخدمي دور المنشئ ومراقبة أنشطتهم عن كثب

قواعد الكشف:

1. تنبيه على طلبات إعادة إنشاء رموز متعددة من مستخدم واحد في إطار زمني قصير

2. مراقبة أنماط الوصول إلى الرموز غير المتسقة مع السلوك الطبيعي للمستخدم

3. وضع علامة على أي حذف رموز متبوع بإعادة إنشاء فورية

4. تتبع استدعاءات API إلى نقاط نهاية الرموز بتكرار غير عادي

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Access Control Policy (unauthorized token access) A.6.1.2 - User Registration and De-registration (token lifecycle management) A.7.2.1 - User Access Rights Review (Creator role permissions) A.8.2.1 - Information Security Event Logging (token manipulation audit trails)

🔵 SAMA CSF

ID.AM-1 - Asset Management (MCP token inventory) PR.AC-1 - Access Control Policy (token ownership validation) PR.AC-3 - Access Enforcement (role-based token management) DE.CM-1 - Detection and Analysis (token access monitoring) RS.AN-1 - Incident Analysis (token compromise investigation)

🟡 ISO 27001:2022

A.5.1.1 - Information security policies (access control) A.6.1.2 - User registration and access rights management A.6.2.1 - User access rights review A.8.2.1 - User activity logging and monitoring A.8.2.4 - Logging of administrator and operator activities

🟣 PCI DSS v4.0.1

Requirement 2.1 - Change default passwords and security parameters Requirement 6.5.10 - Broken authentication Requirement 7 - Restrict access to cardholder data by business need Requirement 8.1 - Assign unique ID to each person with computer access Requirement 10.2 - Implement automated audit trails for access to cardholder data

🔗 References & Sources 2

🔗

https://github.com/nocodb/nocodb/releases/tag/0.301.3

security-advisories@github.com

Product Release Notes

🔗

https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 1 entries

nocodb:nocodb

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-639

Exploit No

Patch ✗ No

Published 2026-03-02

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-639

🏢 Vendor Advisories

🔗 https://github.com/nocodb/nocodb/security/advisories...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-28361

Introduce Yourself

Sign In Required