CVE-2026-56781 | Teable before 2026-06-15T04-43-24Z.1912 contains an improper… | CVSS 5.3 MEDIUM

Description

Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from share metadata and specify them in projection parameters to read field values that are intended to be restricted from public view.

Metadata

CVE ID: CVE-2026-56781
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-23 01:24 UTC
Published: 2026-06-29 17:15 UTC
Last updated: 2026-06-29 18:22 UTC
Primary CWE: CWE-639
Authorization Bypass Through User-Controlled Key
Vendor / Product: teableio / teable
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
teableio	teable	—	0 < 2026-06-15T04-43-24Z.1912

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	Authorization Bypass Through User-Controlled Key

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

Release Notes https://github.com/teableio/teable/releases/tag/release.2026-06-15T04-43-24Z.1912
Researcher Disclosure https://github.com/teableio/teable/issues/3335
Pull Request https://github.com/teableio/teable/pull/3353
https://www.vulncheck.com/advisories/teable-unauthenticated-hidden-field-disclosure-via-projection-parameter-override