What happened
Two low-severity NocoDB CVEs published 2026-06-23: MCP token holders can read attachments across workspace boundaries (CVE-2026-47388, CVSS 2.3), and OAuth tokens with restricted scopes bypass ACL enforcement (CVE-2026-46549, CVSS 2.0). Both are narrow-blast-radius authorization oversights in NocoDB's MCP integration.
Why it matters
NocoDB is being used as a database backend for AI agent workflows via MCP. Scope enforcement failures in MCP tokens undermine the principle of least privilege for agentic access — an AI agent granted a minimal MCP scope can silently access more data than intended.
Attack vector
(CVE-2026-47388) Low-privilege MCP token holder reads any attachment file in shared storage by knowing its path, bypassing workspace scoping. (CVE-2026-46549) OAuth tokens issued with restricted scopes (e.g. MCP-only) inherit full user ACL permissions because the ACL middleware never checks oauth_scope.
Affected systems
NocoDB < 2026.05.1 (CVE-2026-47388); < 2026.04.1 (CVE-2026-46549)
Mitigation
Upgrade NocoDB to 2026.05.1 (CVE-2026-47388) and 2026.04.1 (CVE-2026-46549). Advisories: https://github.com/nocodb/nocodb/security/advisories/GHSA-xxpj-q764-9r6q and GHSA-m5qg-rvjq-727p