CVE-2026-28360 Overview
CVE-2026-28360 is a cryptographic vulnerability in NocoDB, a popular open-source software platform for building databases as spreadsheets. Prior to version 0.301.3, the application stored shared view passwords in plaintext in the database and compared them using direct string equality. This insecure credential storage practice exposes sensitive authentication data to potential compromise if an attacker gains access to the database.
Critical Impact
Shared view passwords stored in plaintext can be directly read by attackers with database access, potentially compromising all protected shared views and their associated data.
Affected Products
- NocoDB versions prior to 0.301.3
- All deployments using shared view password protection feature
- Self-hosted and cloud instances running vulnerable versions
Discovery Timeline
- 2026-03-02 - CVE CVE-2026-28360 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-28360
Vulnerability Analysis
This vulnerability falls under CWE-256 (Plaintext Storage of a Password), a well-documented security weakness where applications store credentials without proper cryptographic protection. In NocoDB, when users create shared views with password protection, the application was designed to store these passwords directly in the database without hashing or encryption.
The insecure storage mechanism means that anyone with read access to the database—whether through SQL injection, database backup exposure, insider threat, or direct database compromise—could retrieve all shared view passwords in their original form. Additionally, the use of direct string equality comparison rather than constant-time comparison introduces potential timing attack vectors.
Root Cause
The root cause of this vulnerability is the failure to implement proper password hashing before storage. Instead of using a secure one-way hash function (such as bcrypt, Argon2, or scrypt) to transform passwords into irreversible hashes, the application stored raw password strings directly in database columns. This design decision violates fundamental security principles for credential management and contradicts industry best practices established in standards like OWASP Application Security Verification Standard (ASVS).
Attack Vector
The vulnerability is exploitable over the network by attackers who can gain access to the underlying database. Attack scenarios include:
Database Compromise: An attacker who compromises the database server can directly query the table containing shared view configurations and extract all plaintext passwords.
SQL Injection: If SQL injection vulnerabilities exist elsewhere in the application, attackers could potentially exfiltrate the password data.
Backup Exposure: Database backups containing the plaintext passwords could be compromised through insecure storage or transmission.
Insider Threat: Database administrators or developers with legitimate database access could view all shared view passwords without authorization.
Once passwords are obtained, attackers can access any password-protected shared views, potentially exposing sensitive data stored in those database views.
Detection Methods for CVE-2026-28360
Indicators of Compromise
- Unusual database query patterns targeting shared view configuration tables
- Unexpected access to shared views from unfamiliar IP addresses or user agents
- Database export or backup operations initiated by unauthorized accounts
- Evidence of SQL injection attempts in application logs
Detection Strategies
- Monitor database access logs for queries targeting password storage columns
- Implement database activity monitoring (DAM) solutions to detect bulk credential extraction
- Review application logs for anomalous shared view access patterns
- Audit database user permissions to identify over-privileged accounts
Monitoring Recommendations
- Enable detailed database query logging and forward logs to a SIEM solution
- Configure alerts for direct table access bypassing application layer
- Implement honeypot shared views to detect unauthorized access attempts
- Monitor for lateral movement following potential credential exposure
How to Mitigate CVE-2026-28360
Immediate Actions Required
- Upgrade NocoDB to version 0.301.3 or later immediately
- Rotate all shared view passwords after upgrading to ensure old plaintext passwords are replaced with properly hashed versions
- Audit database access logs for signs of unauthorized access to credential data
- Review and restrict database access permissions to minimize exposure
Patch Information
NocoDB has addressed this vulnerability in version 0.301.3. The patch implements proper password hashing for shared view passwords, replacing the plaintext storage mechanism with secure cryptographic hashing. Organizations should upgrade to this version or later to remediate the vulnerability.
For detailed patch information, refer to the NocoDB Release Notes and the GitHub Security Advisory GHSA-mpp2-x7wv-38hv.
Workarounds
- Restrict database access to only essential personnel and services pending upgrade
- Implement network segmentation to limit database exposure
- Consider temporarily disabling shared view password protection for highly sensitive data until the patch is applied
- Deploy additional monitoring on database access to detect potential exploitation attempts
# Upgrade NocoDB to patched version
npm update nocodb@0.301.3
# Or using Docker
docker pull nocodb/nocodb:0.301.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
