CVE-2026-53928
Received Received - Intake
Authentication Bypass in NocoDB via Stale Refresh Tokens

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens β€” it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow. This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53928
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows a stolen refresh token to remain valid even after a user resets their password, potentially enabling unauthorized access to user accounts.

Such unauthorized access could lead to exposure or misuse of personal or sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.

Therefore, the vulnerability could negatively impact compliance with these regulations by failing to adequately protect user authentication tokens and prevent unauthorized data access.

Executive Summary

This vulnerability in NocoDB involves the handling of refresh tokens during the password-forgot flow. Before version 2026.05.1, when a user triggered the password-forgot process, the system rotated the token_version and revoked OAuth tokens but did not delete all user refresh tokens. As a result, if an attacker had previously stolen a refresh token, they could still use it to mint new JWT access tokens even after the user reset their password.

The issue was that the passwordForgot function did not call the method to delete all refresh tokens for the user, unlike the passwordChange and passwordReset functions which properly deleted these tokens. This allowed an attacker holding a captured refresh token to maintain access despite the password reset.

This vulnerability was fixed in version 2026.05.1 by ensuring that all refresh tokens are deleted during the password-forgot flow.

Impact Analysis

This vulnerability can allow an attacker who has stolen a user's refresh token to continue accessing the user's account even after the user has reset their password. This undermines the security of the password reset process and can lead to unauthorized access to sensitive data or actions within the NocoDB application.

Because the attacker can mint fresh JWT access tokens using the stolen refresh token, they can bypass the intended security measure of invalidating sessions after a password reset, potentially leading to data breaches or unauthorized operations.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.05.1 or later, where the issue has been fixed.

This update ensures that the password-forgot flow properly deletes all user refresh tokens, preventing attackers from using stolen refresh tokens to mint new JWTs after a password reset.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart