CVE-2026-53928

UNKNOWN 0.0

NocoDB: Refresh Tokens Persist Through Password Recovery

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens — it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow. This vulnerability is fixed in 2026.05.1.

CWE	CWE-613
Vendor	nocodb
Product	nocodb
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for nocodb nocodb

Be the first to know when new unknown vulnerabilities affecting nocodb nocodb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nocodb / nocodb

< 2026.05.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nocodb/nocodb/security/advisories/GHSA-r989-7g3j-wjhw