CVE-2026-46550
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
NocoDB prior to version 2026.04.1 had a security vulnerability related to the refresh-token cookie, which was set with httpOnly: true but lacked both the secure flag and the sameSite attribute. This allowed the cookie to be intercepted on the network and enabled CSRF attacks against the token-refresh endpoint.
Risk Assessment
Organizations may be exposed to CSRF attacks, potentially leading to unauthorized access to token-refresh functionalities. Interception of the cookie over an unsecured HTTP connection increases the risk of data leakage.
Recommendation
It is recommended to update NocoDB to version 2026.04.1 or later to mitigate this vulnerability. Additionally, consider implementing security measures such as HTTPS and proper cookie settings.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1.

