Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.7
NocoDB Password Reset Endpoint Exposes User Email Existence
CVE-2026-28358
GHSA-387m-j3p9-3php
Summary
The NocoDB password reset endpoint can reveal whether an email address is registered with the system. This could allow an attacker to try guessing email addresses. To protect your users, update NocoDB to the fixed version.
What to do
- Update pranavxc nocodb to version 0.301.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| pranavxc | nocodb | <= 0.301.2 | 0.301.3 |
| nocodb | nocodb | <= 0.301.3 | – |
Original title
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
Original description
### Summary
The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.
### Details
`POST /api/v2/auth/password/forgot` returned a success message for registered emails but `'Your email has not been registered.'` for unknown emails. The fix returns a uniform response regardless of whether the email exists.
### Impact
An unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.
### Credit
This issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).
The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.
### Details
`POST /api/v2/auth/password/forgot` returned a success message for registered emails but `'Your email has not been registered.'` for unknown emails. The fix returns a uniform response regardless of whether the email exists.
### Impact
An unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.
### Credit
This issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).
nvd CVSS3.1
5.3
nvd CVSS4.0
2.7
Vulnerability type
CWE-204
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026