CVE-2026-28358
published 2026-03-02CVE-2026-28358: NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered…
PriorityP337medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
0.60%
44.3th percentile
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nocodb | nocodb | < 0.301.3 | 0.301.3 |
| nocodb | nocodb | >= 0 < 0.301.3 | 0.301.3 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.02.7LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
osv·2026-03-02
CVE-2026-28358 [LOW] NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
### Summary
The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.
### Details
`POST /api/v2/auth/password/forgot` returned a success message for registered emails but `'Your email has not been registered.'` for unknown emails. The fix returns a uniform response regardless of whether the email exists.
### Impact
An unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.
### Credit
This issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).
GHSA
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
ghsa·2026-03-02
CVE-2026-28358 [LOW] CWE-204 NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
### Summary
The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.
### Details
`POST /api/v2/auth/password/forgot` returned a success message for registered emails but `'Your email has not been registered.'` for unknown emails. The fix returns a uniform response regardless of whether the email exists.
### Impact
An unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.
### Credit
This issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).
No detection rules found.
Nuclei
NocoDB - User Enumeration
nuclei·CVSS 2.7
CVE-2026-28358 [LOW] NocoDB - User Enumeration
NocoDB - User Enumeration
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
Template:
id: CVE-2026-28358
info:
name: NocoDB - User Enumeration
author: DhiyaneshDk
severity: medium
description: |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
impact: |
Attackers can enumerate registered users, potentially aiding further targeted attacks.
remediation: Update to version 0.301.3
2026-03-02
Published