CyberRota
← Ana sayfaya dön

CVE-2026-46549

LOW · CVSS 2 EPSS %0.15 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-06-23T21:16:58.197 · Çekilme zamanı: 2026-06-30T18:30:41.736380+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

GitHub PoC Linkleri
github.com

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-46549
Severity
LOW
CVSS
2
EPSS
%0.15

Orijinal NVD Açıklaması

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.