CVE-2026-56773

Teable - Missing Authorization in v2 REST API

CVSS 8.7 HIGHEPSS 0.4%CWE-862

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.7EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

26 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

teableio · teable

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/teableio/teable/pull/3285 https://github.com/teableio/teable/releases/tag/release.2026-06-15T04-43-24Z.1912 https://www.vulncheck.com/advisories/teable-missing-authorization-in-v2-rest-api