CVE-2026-47378

CVE-2026-47378 is a medium-severity security vulnerability in nocodb (npm), affecting versions < 2026.04.1. It is fixed in 2026.04.1.

Summary

Public shared-view endpoints exposed values from columns that the view owner had
hidden, via three independent paths: groupBy returned raw values for any column
named in the request, filter and sort arrays operated on hidden columns enabling
boolean-blind extraction, and the related-data list accepted arbitrary link-column
IDs from other tables in the same base.

Details

A new sanitizeListArgsForPublicView helper now strips request keys that should
never be caller-controlled (e.g. getHiddenColumn, nested), parses where
clauses against a restricted alias map that only contains visible columns, and
recursively removes filter/sort entries whose fk_column_id is not in the visible
set. validateGroupByColumnNames and validateGroupColumnId reject groupBy
requests whose column_name (CSV-style) or groupColumnId is not in the visible
or group-by column set. relDataList now checks column.fk_model_id === currentModel.id before resolving the linked table, matching the pre-existing
check on publicMmList and publicHmList.

Credit

This issue was reported by @0xBassia.
It was independently reported by @b-hermes.

Impact

Anyone with a shared-view UUID could enumerate hidden-column values directly (via
groupBy), confirm hidden-column values by observing row counts (via filter), or
read records from unrelated tables in the same base (via the related-data list).
No authentication was required.

Affected versions

nocodb (< 2026.04.1)

Security releases

nocodb → 2026.04.1 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade nocodb to 2026.04.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-47378? CVE-2026-47378 is a medium-severity security vulnerability in nocodb (npm), affecting versions < 2026.04.1. It is fixed in 2026.04.1.
  2. Which versions of nocodb are affected by CVE-2026-47378? nocodb (npm) versions < 2026.04.1 is affected.
  3. Is there a fix for CVE-2026-47378? Yes. CVE-2026-47378 is fixed in 2026.04.1. Upgrade to this version or later.
  4. Is CVE-2026-47378 exploitable, and should I be worried? Whether CVE-2026-47378 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-47378 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-47378? Upgrade nocodb to 2026.04.1 or later.

Other vulnerabilities in nocodb

CVE-2026-53931CVE-2026-53930CVE-2026-53929CVE-2026-53928CVE-2026-53927

Stop the waste.
Protect your environment with Kodem.