CVE Catalog

CVE-2026-53926

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile - higher than 21% of all known CVEs

Summary

NocoDB prior to version 2026.05.1 had a vulnerability in the users service where the revokeAllOAuthTokensByUser function was an empty stub. As a result, OAuth tokens were not revoked when the user changed, reset, or recovered their password.

Risk Assessment

An attacker could exploit this vulnerability to retain valid OAuth tokens, allowing access to the user's account even after they believed they had secured it. This poses a risk of unauthorized access to data.

Recommendation

It is recommended to update NocoDB to version 2026.05.1 to fix this vulnerability and ensure that OAuth tokens are properly revoked after password changes.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS