Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects the prerequisite of prior OAuth token possession; C:L and I:L capture retained unauthorized account access; AV:N because token usage is network-based.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1.
AnalysisAI
OAuth token persistence in NocoDB allows an attacker who previously obtained a user's OAuth credentials to maintain unauthorized account access even after the victim performs a password change, reset, or recovery - the exact security actions taken to revoke attacker access. All NocoDB versions up to 2026.05.0 (npm package: nocodb) are affected due to revokeAllOAuthTokensByUser being implemented as an empty stub in the users service, meaning no OAuth or refresh tokens were ever actually invalidated by any of the three password security flows. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker already possesses valid OAuth access and/or refresh tokens for the target NocoDB user account, obtained prior to the victim's password security event. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.0 score of 6.3 with AT:P correctly signals that exploitation is conditional - the attacker must have obtained valid OAuth tokens before the victim's remediation attempt. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who previously obtained a NocoDB user's OAuth access and refresh tokens - through phishing, a malicious OAuth application grant, or credential theft - continues to use those tokens to authenticate against the victim's account after the victim performs a password reset specifically to terminate unauthorized sessions. Because the revocation stub does nothing, the attacker's OAuth session silently persists with full account-level access to the victim's databases and spreadsheets. … |
| Remediation | Vendor-released patch: NocoDB 2026.05.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
NocoDB spreadsheet platform prior to 0.301.0 has a stored XSS vulnerability (CVSS 9.0) that enables code execution throu
Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+. Rated high severity (CVSS 8.8), thi
Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+. Rated high severity (CVSS 8.8), this
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access
With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's con
Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+. Rated
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0. Rated medium severity (CVSS 6.5), this vul
Allocation of Resources Without Limits or Throttling in GitHub repository nocodb/nocodb prior to 0.92.0. Rated medium se
NocoDB versions prior to 0.301.0 contain an open redirect vulnerability in the login flow where the `continueAfterSignIn
NocoDB is software for building databases as spreadsheets. Rated medium severity (CVSS 5.4), this vulnerability is remot
Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+. Rated medium severity (CVSS 5.4
Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7. Rated medium severity (CVSS 5.4)
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38610
GHSA-g72g-r7m4-9x4g