Executive Summary

The vulnerability in NocoDB involves the refresh-token cookie used before version 2026.04.1. Although the cookie was set with the httpOnly flag, it lacked the secure flag and the sameSite attribute. This means that over plain HTTP, the cookie could be intercepted by attackers on the network. Additionally, without the sameSite attribute, browsers would send the cookie with cross-site POST requests, allowing Cross-Site Request Forgery (CSRF) attacks against the token-refresh endpoint.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to an attacker intercepting the refresh-token cookie over an unencrypted HTTP connection, potentially allowing them to hijack user sessions. Furthermore, the lack of the sameSite attribute enables CSRF attacks, where an attacker could trick a user’s browser into sending unauthorized requests to refresh tokens, possibly leading to unauthorized access or actions within the application.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade NocoDB to version 2026.04.1 or later, where the issue with the refresh-token cookie missing the secure flag and sameSite attribute is fixed.

Additionally, ensure that your application uses HTTPS to prevent interception of cookies over plain HTTP.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involves the refresh-token cookie being transmitted without the secure flag and sameSite attribute, which allows interception over plain HTTP and enables CSRF attacks. This can lead to unauthorized access or token theft.

Such security weaknesses could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and transmission over secure channels.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Useful 0 Not Useful 0