logo

Database

Insecure session management In nocodb

Description

NocoDB: OAuth Tokens Persist Through Security Events

Summary

OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out.

Details

revokeAllOAuthTokensByUser in the users service was an empty stub being called from passwordChange, passwordForgot, and passwordReset. It now delegates to OAuthToken.revokeAllByUser(userId), which deletes the rows and invalidates the related auth caches. All three reset/recovery flows now consistently revoke refresh tokens (GHSA-r989-7g3j-wjhw), OAuth tokens (this advisory), and rotate token_version.

Impact

Persistent unauthorized access through previously issued OAuth tokens after a documented security event (password change, forgot, or reset).

Credit

This issue was reported by @bugbunny-research.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-539262. NVD-2026-539263. OSV-2026-539264. GHSA-g72g-r7m4-9x4g5. GCVE-2026-53926

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-g72g-r7m4-9x4g2. https://github.com/nocodb/nocodb/releases/tag/2026.05.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.