GHSA-xxpj-q764-9r6qLow

NocoDB: Missing Ownership Check in MCP Attachment Read

Published
June 5, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

A low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership.

Details

The MCP readAttachment tool accepts caller-supplied path/url values and streams the file via the storage adapter. The handler now looks up the path in nc_file_references and requires a non-deleted row whose base_id matches the caller's MCP context before streaming; otherwise it returns Attachment is not accessible from this MCP context. The lookup tolerates both download/uploads/... and uploads/... styles.

Impact

Arbitrary read against shared storage scoped to attachments the caller's MCP context should not see. Exploitation requires an MCP token and a known attachment path.

Credit

This issue was reported by @helwor-01.

🎯 Affected products1

  • npm/nocodb:<= 2026.05.0

🔗 References (3)