Impact
Prior to version 2026.04.1, NocoDB set the refresh‑token cookie with httpOnly enabled while omitting the Secure flag and SameSite attribute. The cookie could travel unencrypted over plain HTTP, enabling an attacker to capture it in transit, and because SameSite was not specified, browsers would include it in cross‑site POST requests. This combination allowed CSRF attacks against the token‑refresh endpoint, permitting an attacker to refresh the token and potentially hijack a user’s session. The vulnerability was addressed in 2026.04.1.
Affected Systems
NocoDB software versions prior to 2026.04.1 are affected. The vendor is nocodb:nocodb according to the CNA.
Risk and Exploitability
The CVSS score of 5.4 indicates medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no known active exploits. Attackers could exploit the vulnerability by accessing the application over an unencrypted channel or by inducing a victim to visit a malicious site that triggers a cross‑site POST to the token‑refresh endpoint.
OpenCVE Enrichment
Github GHSA