CVE-2026-28396
Refresh Token Revocation Bypass in NocoDB Enables Persistent Access
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28396 is a vulnerability in the NocoDB software (versions up to 0.301.2) where the password reset process does not revoke existing refresh tokens. This means that if an attacker has previously stolen a refresh token, they can continue to generate valid JWTs (JSON Web Tokens) even after the victim resets their password.
The root cause is that the passwordReset() function updates the token version to invalidate JWTs but fails to delete all existing refresh tokens. The refreshToken() method only checks if the token exists but does not verify the token version, allowing continued unauthorized access.
This issue was fixed in version 0.301.3 of NocoDB.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker who has stolen a refresh token to maintain unauthorized access to a user's account even after the user resets their password."}, {'type': 'paragraph', 'content': 'Because the stolen refresh tokens are not revoked during the password reset process, the attacker can continue minting valid JWTs and impersonate the user until the stolen token expires.'}, {'type': 'paragraph', 'content': 'This can lead to prolonged unauthorized access, potentially exposing sensitive data or allowing malicious actions within the affected system.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the failure to revoke existing refresh tokens after a password reset in NocoDB versions prior to 0.301.3. Detection would involve monitoring for continued use of refresh tokens that should have been invalidated.
Specifically, you can look for refresh token usage after a password reset event for the same user. If refresh tokens continue to be accepted and JWTs minted after a password reset, this indicates the vulnerability.
Since the issue is related to token management in the application, network commands alone may not be sufficient. However, you can monitor logs or API calls related to token refresh endpoints to detect suspicious activity.
- Check application logs for refresh token usage timestamps after password reset events.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture traffic to the token refresh endpoint and correlate with password reset events.
- If you have access to the database, query the refresh tokens associated with users who recently reset passwords to see if old tokens remain valid.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade NocoDB to version 0.301.3 or later, where the vulnerability has been fixed by properly revoking existing refresh tokens during the password reset flow.
Until you can upgrade, consider manually invalidating all refresh tokens for users who reset their passwords to prevent continued unauthorized access.
Additionally, monitor for suspicious token refresh activity after password resets and enforce stricter session management policies if possible.