CVE-2026-47380

Summary

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.

Affected Software

VendorProductVersion RangeStatus
nocodbnocodb< 2026.04.1affected

Weaknesses

  • CWE-208: CWE-208: Observable Timing Discrepancy
  • CWE-307: CWE-307: Improper Restriction of Excessive Authentication Attempts

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References