← back
CVE-2026-53926

NocoDB: OAuth Tokens Persist Through Security Events

CVSS 6.3 MEDIUMEPSS 0.3%CWE-613
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.3EPSS 0.3%KEV nãoPoC Patch
Lifecycle
Jun 23, 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
nocodb · nocodb

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/nocodb/nocodb/security/advisories/GHSA-g72g-r7m4-9x4g