NocoDB Stores Shared View Passwords in Plain Text

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

2.7

NocoDB Stores Shared View Passwords in Plain Text

CVE-2026-28360 GHSA-mpp2-x7wv-38hv

Summary

NocoDB, a low-code database platform, stores shared view passwords in plain text, allowing them to be easily read if the database is compromised. This means that if an attacker gains access to the database, they can see all shared view passwords without needing to crack them. To protect your shared view passwords, use strong, unique passwords and consider changing them regularly, especially if you're concerned about database security.

What to do

Update pranavxc nocodb to version 0.301.3.

Affected software

Vendor	Product	Affected versions	Fix available
pranavxc	nocodb	<= 0.301.2	0.301.3
nocodb	nocodb	<= 0.301.3	–

Original title

NocoDB has Plaintext Storage of Shared View Passwords

Original description

### Summary
Shared view passwords were stored in plaintext in the database and compared using direct string equality.

### Details
The `password` column in `nc_views` stored unhashed passwords. Verification used `!==` comparison across `public-datas.service.ts`, `public-metas.service.ts`, and `calendar-datas.service.ts`.

### Impact
If the database is compromised, shared view passwords are immediately readable. Risk is limited to password reuse scenarios.

### Credit
This issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).

nvd CVSS3.1 5.3

nvd CVSS4.0 2.7

Vulnerability type

CWE-256

https://nvd.nist.gov/vuln/detail/CVE-2026-28360
https://github.com/advisories/GHSA-mpp2-x7wv-38hv
https://github.com/nocodb/nocodb/releases/tag/0.301.3 Product Release Notes
https://github.com/nocodb/nocodb/security/advisories/GHSA-mpp2-x7wv-38hv Vendor Advisory

Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026