CVE-2026-46552

EIP tracks 1 public exploit for CVE-2026-46552. PoCs published by 0xmrma.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-46552, an authorization boundary failure in NocoDB where shared-base links could be exploited to invite real base members and survive share revocation. The writeup includes root cause analysis, attack chain details, and a proof-of-concept validation process.

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.