CVE-2026-56773 | Teable's v2 REST API controller lacks @Permissions metadata … | CVSS 8.8 HIGH

Description

Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.

Metadata

CVE ID: CVE-2026-56773
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-23 01:22 UTC
Published: 2026-06-26 14:38 UTC
Last updated: 2026-06-27 02:37 UTC
Primary CWE: CWE-862
Missing Authorization
Vendor / Product: teableio / teable
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
teableio	teable	—	0 < 2026-06-15T04-43-24Z.1912

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	Missing Authorization

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.8	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (3)