← back
CVE-2026-56781

Teable - Unauthenticated Hidden Field Disclosure via Projection Parameter Override

CVSS 6.9 MEDIUMCWE-639
Vexday Risk Score
10Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.9EPSS KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
29 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from share metadata and specify them in projection parameters to read field values that are intended to be restricted from public view.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
teableio · teable

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/teableio/teable/issues/3335https://github.com/teableio/teable/pull/3353https://github.com/teableio/teable/releases/tag/release.2026-06-15T04-43-24Z.1912https://www.vulncheck.com/advisories/teable-unauthenticated-hidden-field-disclosure-via-projection-parameter-override