We found results for “


Date: January 10, 2022


In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn't registered within the system. This allows attackers to enumerate the registered users' email addresses.


NocoDB password-reset feature displays an error message when an email doesn’t exist in the application. This allows attackers to enumerate the registered users' email addresses.

PoC Details

Sign up to the NocoDB application with your email address, then logout and go to the reset password page.
Enter the email address that you registered with and you should see the system replies with a success message which indicates that the email address exists, try again with some random email and you should get a message showing that the user does not exist.

Affected Environments

0.9 to 0.83.8


Update to version 0.84.0 or later

Language: VUE

Good to know:




Observable Discrepancy


Upgrade Version

Upgrade to version nocodb - 0.84.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): None
Availability (A): None
Additional information: