js · nocodbHeads-up
nocodb MCP readAttachment tool now enforces file ownership check
The MCP `readAttachment` tool now verifies file ownership by looking up the path in `nc_file_references` and checking that the `base_id` matches the caller's MC
What changed
The MCP `readAttachment` tool now verifies file ownership by looking up the path in `nc_file_references` and checking that the `base_id` matches the caller's MCP context before streaming the file.
Who it affects
Users of NocoDB with MCP tokens enabled, especially those sharing storage across bases or workspaces.
What to do today
Update NocoDB to the latest patched version and review MCP token permissions.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · nocodb