Executive Summary

CVE-2026-28396 is a vulnerability in the NocoDB software (versions up to 0.301.2) where the password reset process does not revoke existing refresh tokens. This means that if an attacker has previously stolen a refresh token, they can continue to generate valid JWTs (JSON Web Tokens) even after the victim resets their password.

The root cause is that the passwordReset() function updates the token version to invalidate JWTs but fails to delete all existing refresh tokens. The refreshToken() method only checks if the token exists but does not verify the token version, allowing continued unauthorized access.

This issue was fixed in version 0.301.3 of NocoDB.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker who has stolen a refresh token to maintain unauthorized access to a user's account even after the user resets their password."}, {'type': 'paragraph', 'content': 'Because the stolen refresh tokens are not revoked during the password reset process, the attacker can continue minting valid JWTs and impersonate the user until the stolen token expires.'}, {'type': 'paragraph', 'content': 'This can lead to prolonged unauthorized access, potentially exposing sensitive data or allowing malicious actions within the affected system.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the failure to revoke existing refresh tokens after a password reset in NocoDB versions prior to 0.301.3. Detection would involve monitoring for continued use of refresh tokens that should have been invalidated.

Specifically, you can look for refresh token usage after a password reset event for the same user. If refresh tokens continue to be accepted and JWTs minted after a password reset, this indicates the vulnerability.

Since the issue is related to token management in the application, network commands alone may not be sufficient. However, you can monitor logs or API calls related to token refresh endpoints to detect suspicious activity.

• Check application logs for refresh token usage timestamps after password reset events.
• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture traffic to the token refresh endpoint and correlate with password reset events.
• If you have access to the database, query the refresh tokens associated with users who recently reset passwords to see if old tokens remain valid.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade NocoDB to version 0.301.3 or later, where the vulnerability has been fixed by properly revoking existing refresh tokens during the password reset flow.

Until you can upgrade, consider manually invalidating all refresh tokens for users who reset their passwords to prevent continued unauthorized access.

Additionally, monitor for suspicious token refresh activity after password resets and enforce stricter session management policies if possible.

Useful 0 Not Useful 0