GHSA-jr54-jwhj-55gpLow

NocoDB: User Enumeration via Sign-In Timing

Published
June 5, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison.

Details

The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response time of failed sign-ins is approximately independent of whether the address exists. Rate limiting on the sign-in endpoint is implemented in the Enterprise build only and is not affected by this advisory.

Impact

A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests.

Credit

This issue was reported by @AndyAnh174.

🎯 Affected products1

  • npm/nocodb:< 2026.04.1

🔗 References (3)