js · nocodbHeads-up
nocodb: Shared-view relation endpoints now enforce column visibility check
Public shared-view relation endpoints (`publicMmList`, `publicHmList`, `relDataList`) now verify that the requested column's `show` flag is true before returning data.
What changed
Public shared-view relation endpoints (`publicMmList`, `publicHmList`, `relDataList`) now verify that the requested column's `show` flag is true before returning data. Previously, only column ownership was checked, not visibility.
Who it affects
All NocoDB instances using shared views with hidden LTAR columns. Anyone holding a share UUID could previously enumerate linked records from hidden columns.
What to do today
Update NocoDB to the latest patched version to prevent unauthorized data exposure via shared-view relation endpoints.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · nocodb