CVE-2026-28361: CVE-2026-28361: IDOR in NocoDB MCP Token Service

CVE-2026-28361: IDOR in NocoDB MCP Token Service

Vulnerability ID: CVE-2026-28361
CVSS Score: 4.9
Published: 2026-03-02

A medium-severity Insecure Direct Object Reference (IDOR) vulnerability exists in NocoDB versions prior to 0.301.3. The flaw is located in the Model Context Protocol (MCP) Token service, where improper authorization checks allow authenticated users with 'Creator' privileges to access, regenerate, or delete MCP tokens belonging to other users within the same base. Successful exploitation requires knowledge of the target token's identifier.

TL;DR

NocoDB fails to verify ownership of MCP tokens in API requests, allowing authenticated 'Creators' to manipulate other users' tokens by guessing or obtaining their IDs. Patched in version 0.301.3.

---

Technical Details

• CWE: CWE-639 (IDOR)
• CVSS v4.0: 4.9 (Medium)
• Attack Vector: Network (Authenticated)
• Fix Version: 0.301.3
• Component: McpTokenService
• Exploit Maturity: Unproven

Affected Systems

• NocoDB
• NocoDB: < 0.301.3 (Fixed in: 0.301.3)

Mitigation Strategies

• Update NocoDB to version 0.301.3 or later immediately.
• Implement restrictive network policies for the /api/v1/db/meta/mcp-tokens/ endpoints if patching is not immediately feasible.
• Audit access logs for 4xx errors or unusual access patterns to MCP token endpoints.

Remediation Steps:

1. Backup the NocoDB database and configuration.
2. Pull the latest Docker image: docker pull nocodb/nocodb:0.301.3.
3. Restart the NocoDB container with the new image.
4. Verify the fix by attempting to access a token from a different user account (should return 404/403).

References

• GitHub Advisory GHSA-p9x3-w98f-7j3q
• NVD Entry for CVE-2026-28361

---

Read the full report for CVE-2026-28361 on our website for more details including interactive diagrams and full exploit analysis.