An authorization bypass vulnerability in Teable's v2 REST API allows authenticated users to access or modify data beyond their intended privilege level.

The issue stems from missing @Permissions metadata on ORPC endpoints within the v2 REST API controller. This allows any authenticated user to perform actions that should be restricted, effectively bypassing defined access control lists.

This vulnerability carries a CVSS score of 8.8, indicating a high risk of unauthorized data access, modification, or destruction. Within a business context, this could result in a significant data breach, loss of data integrity, and unauthorized administrative actions within the Teable platform.

Immediate Action: Update the Teable application to the latest version provided by the vendor to remediate the missing authorization controls.

Proactive Monitoring: Audit application access logs for unusual patterns, such as standard users accessing sensitive API endpoints or performing administrative-level functions.

Compensating Controls: Implement strict API gateway controls and WAF rules to limit access to sensitive ORPC endpoints if immediate patching is not feasible.

Public Exploit Available: false

The ability for authenticated users to bypass authorization checks is a severe security failure that undermines the principle of least privilege. Organizations utilizing Teable must prioritize this update to prevent internal threats or compromised accounts from escalating their access and causing widespread damage.