GHSA-jr54-jwhj-55gpLow
NocoDB: User Enumeration via Sign-In Timing
🔗 CVE IDs covered (1)
📋 Description
Summary
Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison.
Details
The unknown-user branch in auth.service.ts now performs a bcrypt.compare against
a fixed dummy hash so the response time of failed sign-ins is approximately
independent of whether the address exists. Rate limiting on the sign-in endpoint is
implemented in the Enterprise build only and is not affected by this advisory.
Impact
A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests.
Credit
This issue was reported by @AndyAnh174.
🎯 Affected products1
- npm/nocodb:< 2026.04.1