Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.
Metrics
Affected Vendors & Products
References
History
Sat, 27 Jun 2026 03:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 26 Jun 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Teableio
Teableio teable |
|
| Vendors & Products |
Teableio
Teableio teable |
Fri, 26 Jun 2026 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords. | |
| Title | Teable - Missing Authorization in v2 REST API | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-26T14:38:32.177Z
Updated: 2026-06-27T02:37:44.123Z
Reserved: 2026-06-23T01:22:22.571Z
Link: CVE-2026-56773
Updated: 2026-06-27T02:37:30.715Z
No data.
No data.