Skip to main content

NocoDB CVE-2026-53928

| EUVDEUVD-2026-38608 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-06-17 https://github.com/nocodb/nocodb GHSA-r989-7g3j-wjhw
6.3
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

AC:H because prior refresh-token capture is a prerequisite; UI:R because the victim must trigger the Forgot Password flow for the bypass to apply.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/nocodb/nocodb).

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 23, 2026 - 23:02 EUVD
CVSS changed
Jun 23, 2026 - 21:22 NVD
6.3 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 01:46 vuln.today
Analysis Generated
Jun 18, 2026 - 01:46 vuln.today

DescriptionCVE.org

Summary

A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password.

Details

passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens - it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow.

Impact

Persistent unauthorized access after password recovery. Once a refresh token leaks, the documented "Forgot password" recovery flow did not in fact revoke the attacker's session.

Credit

This issue was reported by @bugbunny-research.

AnalysisAI

Refresh token persistence in NocoDB (npm/nocodb ≤ 0.301.3) allows an attacker who has captured a victim's refresh token to retain persistent account access even after the victim completes a 'Forgot Password' recovery flow. The passwordForgot code path omitted the UserRefreshToken.deleteAllUserToken(user.id) call present in both passwordChange and passwordReset, leaving the attacker's stolen refresh cookie valid and exchangeable for new JWTs indefinitely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Capture victim refresh token via cookie theft or XSS
Delivery
Victim detects intrusion and initiates Forgot Password flow
Exploit
Password reset completes without purging refresh token table
Execution
Attacker exchanges stolen refresh cookie for fresh JWT
Impact
Retain persistent unauthorized account access

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific, sequential conditions: (1) the attacker must have previously obtained a valid NocoDB refresh token for the target user through any prior means such as cookie theft, cross-site scripting, physical device access, or network interception; and (2) the victim must specifically trigger the 'Forgot Password' recovery flow - not a direct `passwordChange` or `passwordReset`, both of which correctly call `UserRefreshToken.deleteAllUserToken` and would properly invalidate the attacker's session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was supplied in the advisory data, so all metric judgments are independently assessed from the description and CWE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who previously captured a victim's NocoDB refresh token - via XSS, network interception, malware, or physical device access - waits for the victim to detect suspicious activity and initiate the 'Forgot Password' recovery flow. After the victim resets their password believing all sessions have been terminated, the attacker submits the stolen refresh cookie to NocoDB's token refresh endpoint, receives a valid new JWT, and maintains full account access. …
Remediation No vendor-released patch version has been confirmed - the GitHub Security Advisory GHSA-r989-7g3j-wjhw lists no fixed version as of the time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy