CVE-2026-53928
MEDIUM EPSS 15.3%
Published Jun 23, 20261w ago · Modified Jun 24, 20261w ago
6.3 CVSS 4.0
Published Jun 23, 2026 1w ago
Last Modified Jun 24, 2026 1w ago
Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens — it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow. This vulnerability is fixed in 2026.05.1.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
15.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-613
References 1
- github.com https://github.com/nocodb/nocodb/security/advisories/GHSA-r989-7g3j-wjhw
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.