Skip to main content

NocoDB CVE-2026-46550

| EUVDEUVD-2026-38585 MEDIUM
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
2026-05-21 https://github.com/nocodb/nocodb GHSA-f74w-272x-mqcv
5.4
CVSS 3.1 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 23:02 EUVD
Source Code Evidence Fetched
May 21, 2026 - 21:38 vuln.today
Analysis Generated
May 21, 2026 - 21:38 vuln.today

DescriptionCVE.org

Summary

The refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint.

Details

In packages/nocodb/src/services/users/helpers.ts, setTokenCookie produced the cookie with only httpOnly, an expires date, and an optional domain from NC_BASE_HOST_NAME - no secure, no sameSite. The refresh endpoint POST /api/v2/auth/token/refresh (auth.controller.ts) read the cookie unconditionally and returned a new JWT, with no CSRF token.

The fix sets httpOnly: true, sameSite: 'lax', and conditional secure: req.ncSiteUrl.startsWith('https') so the flag is active under HTTPS while still functional on plain-HTTP localhost development.

This is distinct from GHSA-x4vh-j75g-268g (refresh-token lifecycle on password reset) - different root cause, different attack vector.

Impact

  • Cookie interception on plain HTTP networks (no secure).
  • Cross-site refresh: malicious cross-origin pages could trigger token refresh and, combined with any same-origin XSS or open-redirect on the NocoDB domain, capture the new JWT.
  • Refresh tokens have multi-day expiry (NC_REFRESH_TOKEN_EXP_IN_DAYS), so the exposure window is long.

Credit

This issue was reported by @ik0z.

AnalysisAI

NocoDB's refresh-token cookie in versions up to and including 0.301.3 was misconfigured in setTokenCookie - issued with only httpOnly: true and no secure or sameSite attributes - exposing two distinct attack paths: cookie interception over plain HTTP networks and CSRF against the POST /api/v2/auth/token/refresh endpoint, which returns a new JWT without validating any CSRF token. Because refresh tokens carry multi-day expiry windows via NC_REFRESH_TOKEN_EXP_IN_DAYS, successful exploitation yields a long-lived credential for follow-on account access. No public exploit has been identified at time of analysis and no released patched version is confirmed, despite a documented fix in the GitHub advisory GHSA-f74w-272x-mqcv.

Technical ContextAI

CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) identifies the root cause class: the setTokenCookie function in packages/nocodb/src/services/users/helpers.ts constructed the refresh-token cookie with only httpOnly, an expires date, and an optional domain drawn from the NC_BASE_HOST_NAME environment variable, omitting both the secure flag and sameSite attribute. The affected package is pkg:npm/nocodb, NocoDB's open-source no-code database backend. The companion flaw is in auth.controller.ts - the POST /api/v2/auth/token/refresh endpoint reads the cookie unconditionally and returns a new JWT with no CSRF token check. Without sameSite, browsers default to permissive behavior (pre-2020 engines) or Lax (modern engines), but cross-origin POST subresource requests remain allowed in many scenarios, enabling CSRF. This vulnerability is distinct from GHSA-x4vh-j75g-268g, which involved refresh-token lifecycle on password reset with a different root cause and attack vector. The documented fix adds sameSite: 'lax' and conditionally sets secure based on whether req.ncSiteUrl starts with https, preserving functionality on plain-HTTP localhost development.

RemediationAI

No vendor-released patched version is confirmed at time of analysis - the advisory states 'fixed in: None,' meaning the fix logic is documented (adding httpOnly: true, sameSite: 'lax', and conditional secure based on whether req.ncSiteUrl starts with https) but no released version number is independently verified. Monitor the NocoDB advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-f74w-272x-mqcv and the npm package page for a patched release. As immediate compensating controls: enforce HTTPS exclusively for all NocoDB deployments via a reverse proxy (nginx, Caddy), which eliminates the cookie interception path entirely - the missing secure flag becomes irrelevant when plain HTTP is blocked. To partially mitigate the CSRF path, configure a reverse proxy to inject SameSite=Lax into Set-Cookie headers; note this may not fully replicate application-level CSRF token validation and could interfere with any legitimate cross-origin flows. Additionally, restrict the /api/v2/auth/token/refresh endpoint at the proxy layer to enforce same-origin Origin or Referer header validation, rejecting cross-origin POST requests. Organizations should treat deployment behind HTTPS-only infrastructure as the minimum baseline until an official patch is released.

Share

CVE-2026-46550 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy