LOW
GHSA-387m-j3p9-3php
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
상세
### Summary The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.
### Details `POST /api/v2/auth/password/forgot` returned a success message for registered emails but `'Your email has not been registered.'` for unknown emails. The fix returns a uniform response regardless of whether the email exists.
### Impact An unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.
### Credit This issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.