CVE-2026-53926
Received Received - Intake
OAuth Token Not Revoked After Password Change in NocoDB

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53926
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoDB software versions prior to 2026.05.1. The function revokeAllOAuthTokensByUser in the users service was an empty stub, meaning it did not actually revoke OAuth tokens when called. This function is triggered during password change, password reset, or password recovery processes. Because the OAuth access and refresh tokens were not revoked, an attacker who had previously obtained an OAuth grant could still access the user's account even after the user believed they had secured their account by changing or resetting their password.

Impact Analysis

The impact of this vulnerability is that an attacker who has obtained OAuth tokens can maintain unauthorized access to a user's account even after the user has changed or reset their password. This means the attacker can continue to access sensitive data or perform actions on behalf of the user without their knowledge, potentially leading to data breaches, unauthorized data manipulation, or other malicious activities.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.05.1 or later, where the issue with revokeAllOAuthTokensByUser has been fixed.

Compliance Impact

This vulnerability allows OAuth access and refresh tokens to remain valid even after a user changes, resets, or recovers their password, potentially allowing unauthorized access.

Such a flaw could impact compliance with standards and regulations like GDPR and HIPAA, which require proper access control and timely revocation of credentials to protect user data and privacy.

Failure to revoke tokens upon password changes may lead to unauthorized data access, violating principles of data protection and security mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53926. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart