Skip to main content

NocoDB CVE-2026-46554

| EUVDEUVD-2026-38622 LOW
Insufficient Session Expiration (CWE-613)
2026-05-21 https://github.com/nocodb/nocodb GHSA-f76x-f9vj-92jv
2.3
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Jun 23, 2026 - 23:02 EUVD
CVSS changed
Jun 23, 2026 - 21:22 NVD
2.3 (LOW)
Source Code Evidence Fetched
May 21, 2026 - 21:34 vuln.today
Analysis Generated
May 21, 2026 - 21:34 vuln.today

DescriptionCVE.org

Summary

Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time.

Details

The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days.

Impact

Tokens revoked through the UI or API continued to grant access during the cache TTL, breaking the operator's expected security guarantee that deletion is immediate.

Credit

This issue was reported by @bugbunny-research.

AnalysisAI

NocoDB's API token revocation is ineffective for up to three days due to a stale authentication cache, meaning deleted tokens continue to grant full API access during the cache TTL window. Operators who revoke a compromised or leaked token - expecting immediate cessation of access - receive no such guarantee; the deleted token remains accepted by the auth middleware until its cache entry ages out. This vulnerability (CWE-613: Insufficient Session Expiration) affects all NocoDB instances running npm package version 0.301.3 and earlier. No vendor-released patch has been identified at time of analysis. No public exploit and no CISA KEV listing have been identified.

Technical ContextAI

NocoDB (pkg:npm/nocodb) is an open-source no-code database platform that exposes a REST API secured via API tokens. The authentication middleware resolves incoming token values against an in-memory cache rather than querying the database on each request - a common performance optimization. The flaw, classified under CWE-613 (Insufficient Session Expiration), is that the token deletion code path only removes the database row and does not evict the corresponding cache entry keyed by token value. As a result, the cache serves as the authoritative trust anchor for up to the full TTL window (reported as up to three days), completely bypassing the database deletion. This is an architectural gap between the persistence layer and the cache invalidation strategy in the auth middleware.

RemediationAI

No vendor-released patch has been identified at time of analysis for NocoDB <= 0.301.3. Until a patched release is available, operators should consider the following specific compensating controls. First, restarting the NocoDB application process will flush the in-memory auth cache immediately, forcing all tokens to re-validate against the database on next use - this is the most direct way to achieve immediate revocation after a token deletion, but requires a service restart. Second, if token deletion is performed in response to a suspected compromise, treat the three-day window as an active exposure period and audit API logs for continued usage of the deleted token during that time. Third, reduce reliance on API token revocation as the sole response to a compromise; combine with network-level access controls (firewall rules restricting NocoDB API exposure to trusted IP ranges) to limit what a stale token can reach. Note that restarting the service disrupts active sessions and API consumers, and network restrictions may break legitimate integrations. Monitor the advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-f76x-f9vj-92jv for patch availability.

Share

CVE-2026-46554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy