CVE-2026-47386
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk10th percentile - higher than 10% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 had a vulnerability that allowed two concurrent uses of the same OAuth authorization code to generate two distinct valid (access_token, refresh_token) pairs. This broke the single-use guarantee that PKCE relies on.
Risk Assessment
Organizations could be at risk of unauthorized access to resources, as an attacker could exploit this vulnerability to obtain multiple valid tokens from a single authorization code.
Recommendation
It is recommended to update NocoDB to version 2026.05.1 or later to mitigate this vulnerability.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. This vulnerability is fixed in 2026.05.1.

