Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The refresh‑token cookie in NocoDB was created with httpOnly set to true, but the Secure flag and SameSite attribute were omitted. This means that when the application is accessed over plain HTTP, an attacker can capture the cookie in transit, and without SameSite enforcement, browsers will automatically send the cookie on cross‑site POST requests to the token‑refresh endpoint, enabling attackers to perform CSRF attacks that refresh the token. The result is that an attacker can obtain a valid session refresh token and potentially hijack a user’s session.

Affected Systems

NocoDB software versions prior to 2026.04.1 are affected. The vendor is nocodb:nocodb according to the CNA.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no known active exploits. Attackers could exploit the vulnerability by accessing the application over an unencrypted channel or by inducing a victim to visit a malicious site that triggers a cross‑site POST to the token‑refresh endpoint.

Generated by OpenCVE AI on June 24, 2026 at 02:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later, which sets the Secure and SameSite flags for the refresh‑token cookie.
  • Serve the application only over HTTPS to prevent network interception of the cookie.
  • Apply additional CSRF safeguards such as a CSRF token or WAF rules on the token‑refresh endpoint to block cross‑site POSTs.

Generated by OpenCVE AI on June 24, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f74w-272x-mqcv NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
History

Wed, 24 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Refresh Token Cookie Set Without `Secure` and `SameSite` Flags
Weaknesses CWE-614
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:39:22.473Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46550

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses
  • CWE-614

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute