CVE-2026-53928
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk15th percentile - higher than 15% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 had a vulnerability where a stolen refresh token could be used to mint new JWTs even after the user reset their password. The password forgot flow did not delete all refresh tokens, allowing an attacker to exchange the captured token for a new access token.
Risk Assessment
The organization may be exposed to unauthorized access to user data if an attacker possesses a stolen refresh token. This could lead to serious security breaches and data loss.
Recommendation
It is recommended to update NocoDB to version 2026.05.1 or later to eliminate this vulnerability. Additionally, conducting a security audit to identify and revoke any stolen tokens is advisable.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens — it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow. This vulnerability is fixed in 2026.05.1.

