Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H because prior refresh-token capture is a prerequisite; UI:R because the victim must trigger the Forgot Password flow for the bypass to apply.
Primary rating from Vendor (https://github.com/nocodb/nocodb).
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Summary
A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password.
Details
passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens - it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow.
Impact
Persistent unauthorized access after password recovery. Once a refresh token leaks, the documented "Forgot password" recovery flow did not in fact revoke the attacker's session.
Credit
This issue was reported by @bugbunny-research.
AnalysisAI
Refresh token persistence in NocoDB (npm/nocodb ≤ 0.301.3) allows an attacker who has captured a victim's refresh token to retain persistent account access even after the victim completes a 'Forgot Password' recovery flow. The passwordForgot code path omitted the UserRefreshToken.deleteAllUserToken(user.id) call present in both passwordChange and passwordReset, leaving the attacker's stolen refresh cookie valid and exchangeable for new JWTs indefinitely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific, sequential conditions: (1) the attacker must have previously obtained a valid NocoDB refresh token for the target user through any prior means such as cookie theft, cross-site scripting, physical device access, or network interception; and (2) the victim must specifically trigger the 'Forgot Password' recovery flow - not a direct `passwordChange` or `passwordReset`, both of which correctly call `UserRefreshToken.deleteAllUserToken` and would properly invalidate the attacker's session. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was supplied in the advisory data, so all metric judgments are independently assessed from the description and CWE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who previously captured a victim's NocoDB refresh token - via XSS, network interception, malware, or physical device access - waits for the victim to detect suspicious activity and initiate the 'Forgot Password' recovery flow. After the victim resets their password believing all sessions have been terminated, the attacker submits the stolen refresh cookie to NocoDB's token refresh endpoint, receives a valid new JWT, and maintains full account access. … |
| Remediation | No vendor-released patch version has been confirmed - the GitHub Security Advisory GHSA-r989-7g3j-wjhw lists no fixed version as of the time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38608
GHSA-r989-7g3j-wjhw