GHSA-96fh-m4r8-6v9vMedium

NocoDB: Cross-Workspace Integration Use in Connection Test

Published
June 5, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

A user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace.

Details

The connection-test endpoint fetched the integration in RootScopes.BYPASS scope and checked only that the integration was non-private and that the caller held an owner/creator role on any base in any workspace. The permission lookup is now scoped to the integration's workspace by joining on fk_workspace_id, and the controller rejects requests where the integration's workspace differs from the request's workspace.

Impact

Cross-tenant access to integration configuration through the connection-test endpoint, including the ability to drive the resolved database with the other workspace's credentials. Authentication with creator-or-owner role on any base in any workspace was sufficient.

Credit

This issue was reported by @DongyangLyu.

🎯 Affected products1

  • npm/nocodb:<= 2026.05.0

🔗 References (3)