NocoDB: Cross-Workspace Integration Use in Connection Test
🔗 CVE IDs covered (1)
📋 Description
Summary
A user in one workspace could exercise another workspace's integration through the
testConnection endpoint by supplying its ID, because the integration was fetched in
a bypass scope and the caller's permission check matched any base in any workspace.
Details
The connection-test endpoint fetched the integration in RootScopes.BYPASS scope and
checked only that the integration was non-private and that the caller held an
owner/creator role on any base in any workspace. The permission lookup is now scoped
to the integration's workspace by joining on fk_workspace_id, and the controller
rejects requests where the integration's workspace differs from the request's workspace.
Impact
Cross-tenant access to integration configuration through the connection-test endpoint, including the ability to drive the resolved database with the other workspace's credentials. Authentication with creator-or-owner role on any base in any workspace was sufficient.
Credit
This issue was reported by @DongyangLyu.
🎯 Affected products1
- npm/nocodb:<= 2026.05.0