CVE Catalog

CVE-2026-46550

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

1th percentile — higher than 1% of all known CVEs

Summary

NocoDB prior to version 2026.04.1 had a security vulnerability related to the refresh-token cookie, which was set with httpOnly: true but lacked both the secure flag and the sameSite attribute. This allowed the cookie to be intercepted on the network and enabled CSRF attacks against the token-refresh endpoint.

Risk Assessment

Organizations may be exposed to CSRF attacks, potentially leading to unauthorized access to token-refresh functionalities. Interception of the cookie over an unsecured HTTP connection increases the risk of data leakage.

Recommendation

It is recommended to update NocoDB to version 2026.04.1 or later to mitigate this vulnerability. Additionally, consider implementing security measures such as HTTPS and proper cookie settings.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS