CVE-2026-53926
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 had a vulnerability in the users service where the revokeAllOAuthTokensByUser function was an empty stub. As a result, OAuth tokens were not revoked when the user changed, reset, or recovered their password.
Risk Assessment
An attacker could exploit this vulnerability to retain valid OAuth tokens, allowing access to the user's account even after they believed they had secured it. This poses a risk of unauthorized access to data.
Recommendation
It is recommended to update NocoDB to version 2026.05.1 to fix this vulnerability and ensure that OAuth tokens are properly revoked after password changes.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1.

