Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3.
Published: 2026-03-02
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Token revocation failure allowing continued access after password reset
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises because the password reset flow does not revoke existing refresh tokens, permitting an attacker who already holds a stolen refresh token to keep minting valid JWTs even after the user changes their password. This flaw creates a persistent, unauthorized access path without requiring further credentials or exploits. It is categorized as CWE‑613, a weakness in credential management.

Affected Systems

The flaw affects all installations of NocoDB running versions older than 0.301.3, including the latest released versions prior to the patch. Users of any earlier releases are potentially exposed.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. EPSS is reported as less than 1 %, suggesting a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires prior theft of a refresh token; no additional privileges or network access are needed. Once a token is compromised, an attacker can continue generating valid JWTs indefinitely until the password is changed and the token is revoked by the patch.

Generated by OpenCVE AI on April 17, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 0.301.3 or later, which revokes refresh tokens during password reset.
  • After upgrading, force logout for all users or manually invalidate existing refresh tokens to ensure that any tokens issued before the patch are no longer usable.
  • Monitor authentication logs for unexpected token usage after password resets and reset passwords or enforce new tokens if suspicious activity is detected.

Generated by OpenCVE AI on April 17, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x4vh-j75g-268g NocoDB's Refresh Tokens Not Revoked on Password Reset
History

Tue, 03 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
CPEs cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*
Vendors & Products Nocodb
Nocodb nocodb
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3.
Title NocoDB: Refresh Tokens Not Revoked on Password Reset
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T15:57:35.051Z

Reserved: 2026-02-27T15:33:57.288Z

Link: CVE-2026-28396

cve-icon Vulnrichment

Updated: 2026-03-03T15:57:30.656Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:34.627

Modified: 2026-03-03T19:01:16.757

Link: CVE-2026-28396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses