Primary

Context

NocoDB MCP Token Service Ownership Validation Vulnerability

Vulnerability

Patched

A vulnerability exists in NocoDB's MCP token service in versions prior to 0.301.3, where the service failed to validate token ownership. This flaw allowed a user with the Creator role to read, regenerate, or delete another user's MCP tokens, provided the token ID was known. The issue arose because the token service operations did not filter by user ID, unlike the related API tokens service, which correctly enforced ownership.

Impact

Exploitation of this vulnerability could lead to unauthorized access to, and manipulation of, MCP tokens belonging to other users, including the ability to invalidate those tokens. This could disrupt workflows or integrations relying on those tokens.

Remediation

Users can upgrade to NocoDB version 0.301.3 or later to address this vulnerability.

Added: Mar 2, 2026, 5:21 PM

Updated: Mar 2, 2026, 9:15 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

4.8

remediation

7.7

relevance

3.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

4.8

remediation

7.7

relevance

3.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NocoDB MCP Token Service Ownership Validation Vulnerability

Vulnerability

Impact

Remediation

Affected Products

NocoDB

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating