CVE Catalog

CVE-2026-53928

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile - higher than 15% of all known CVEs

Summary

NocoDB prior to version 2026.05.1 had a vulnerability where a stolen refresh token could be used to mint new JWTs even after the user reset their password. The password forgot flow did not delete all refresh tokens, allowing an attacker to exchange the captured token for a new access token.

Risk Assessment

The organization may be exposed to unauthorized access to user data if an attacker possesses a stolen refresh token. This could lead to serious security breaches and data loss.

Recommendation

It is recommended to update NocoDB to version 2026.05.1 or later to eliminate this vulnerability. Additionally, conducting a security audit to identify and revoke any stolen tokens is advisable.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens — it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow. This vulnerability is fixed in 2026.05.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS