logo

Database

Race condition In nocodb

Description

NocoDB: OAuth Authorization Code Race Condition

Summary

Two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on.

Details

The token-exchange flow read is_used and called markAsUsed as an unconditional update at the end of the path. A new OAuthAuthorizationCode.claimByCode method now performs an atomic compare-and-swap (WHERE code = ? AND is_used = false) and is called immediately before OAuthToken.insert, after redirect-URI, PKCE, and client authentication have all succeeded. Only the first concurrent caller's UPDATE wins; the rest see invalid_grant: Authorization code has already been used.

Impact

An attacker who has observed an authorization code and the corresponding PKCE verifier (for example through a malicious OAuth-aware client or by racing a real exchange) could obtain a long-lived refresh token in addition to the legitimate one.

Credit

This issue was reported by @eddieran.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-473862. NVD-2026-473863. OSV-2026-473864. GHSA-8m7c-hf24-5g475. GCVE-2026-47386

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-8m7c-hf24-5g472. https://github.com/nocodb/nocodb/releases/tag/2026.05.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.