CVE-2026-56781
Teable - Unauthenticated Hidden Field Disclosure via Projection Parameter Override
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from share metadata and specify them in projection parameters to read field values that are intended to be restricted from public view.
| CWE | CWE-639 |
| Vendor | teableio |
| Product | teable |
| Published | Jun 29, 2026 |
| Last Updated | Jun 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for teableio teable
Be the first to know when new medium vulnerabilities affecting teableio teable are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
teableio / teable
0 < 2026-06-15T04-43-24Z.1912
References
github.com: https://github.com/teableio/teable/releases/tag/release.2026-06-15T04-43-24Z.1912 github.com: https://github.com/teableio/teable/issues/3335 github.com: https://github.com/teableio/teable/pull/3353 vulncheck.com: https://www.vulncheck.com/advisories/teable-unauthenticated-hidden-field-disclosure-via-projection-parameter-override
Credits
George Chen