CVE-2026-56773
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| teableio | teable | 0 < 2026-06-15T04-43-24Z.1912 | affected |
Weaknesses
- CWE-862: Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/teableio/teable/releases/tag/release.2026-06-15T04-43-24Z.1912
- https://github.com/teableio/teable/pull/3285
- https://www.vulncheck.com/advisories/teable-missing-authorization-in-v2-rest-api
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.