CVE-2026-53926

MEDIUM

NocoDB: OAuth Tokens Persist Through Security Events

Title source: cna
STIX 2.1

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1.

References (1)

Core 1
Core References

Scores

CVSS v4 6.3
EPSS 0.0029
EPSS Percentile 21.3%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-613
Status published
Products (1)
nocodb/nocodb < 2026.05.1
Published Jun 23, 2026
Tracked Since Jun 24, 2026