Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Summary
Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time.
Details
The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days.
Impact
Tokens revoked through the UI or API continued to grant access during the cache TTL, breaking the operator's expected security guarantee that deletion is immediate.
Credit
This issue was reported by @bugbunny-research.
AnalysisAI
NocoDB's API token revocation is ineffective for up to three days due to a stale authentication cache, meaning deleted tokens continue to grant full API access during the cache TTL window. Operators who revoke a compromised or leaked token - expecting immediate cessation of access - receive no such guarantee; the deleted token remains accepted by the auth middleware until its cache entry ages out. This vulnerability (CWE-613: Insufficient Session Expiration) affects all NocoDB instances running npm package version 0.301.3 and earlier. No vendor-released patch has been identified at time of analysis. No public exploit and no CISA KEV listing have been identified.
Technical ContextAI
NocoDB (pkg:npm/nocodb) is an open-source no-code database platform that exposes a REST API secured via API tokens. The authentication middleware resolves incoming token values against an in-memory cache rather than querying the database on each request - a common performance optimization. The flaw, classified under CWE-613 (Insufficient Session Expiration), is that the token deletion code path only removes the database row and does not evict the corresponding cache entry keyed by token value. As a result, the cache serves as the authoritative trust anchor for up to the full TTL window (reported as up to three days), completely bypassing the database deletion. This is an architectural gap between the persistence layer and the cache invalidation strategy in the auth middleware.
RemediationAI
No vendor-released patch has been identified at time of analysis for NocoDB <= 0.301.3. Until a patched release is available, operators should consider the following specific compensating controls. First, restarting the NocoDB application process will flush the in-memory auth cache immediately, forcing all tokens to re-validate against the database on next use - this is the most direct way to achieve immediate revocation after a token deletion, but requires a service restart. Second, if token deletion is performed in response to a suspected compromise, treat the three-day window as an active exposure period and audit API logs for continued usage of the deleted token during that time. Third, reduce reliance on API token revocation as the sole response to a compromise; combine with network-level access controls (firewall rules restricting NocoDB API exposure to trusted IP ranges) to limit what a stale token can reach. Note that restarting the service disrupts active sessions and API consumers, and network restrictions may break legitimate integrations. Monitor the advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-f76x-f9vj-92jv for patch availability.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38622
GHSA-f76x-f9vj-92jv