CVE-2026-53926
NocoDB: OAuth Tokens Persist Through Security Events
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1.
| CWE | CWE-613 |
| Vendor | nocodb |
| Product | nocodb |
| Published | Jun 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for nocodb nocodb
Be the first to know when new unknown vulnerabilities affecting nocodb nocodb are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
nocodb / nocodb
< 2026.05.1