Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 2026.04.1, NocoDB set the refresh‑token cookie with httpOnly enabled while omitting the Secure flag and SameSite attribute. The cookie could travel unencrypted over plain HTTP, enabling an attacker to capture it in transit, and because SameSite was not specified, browsers would include it in cross‑site POST requests. This combination allowed CSRF attacks against the token‑refresh endpoint, permitting an attacker to refresh the token and potentially hijack a user’s session. The vulnerability was addressed in 2026.04.1.

Affected Systems

NocoDB software versions prior to 2026.04.1 are affected. The vendor is nocodb:nocodb according to the CNA.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no known active exploits. Attackers could exploit the vulnerability by accessing the application over an unencrypted channel or by inducing a victim to visit a malicious site that triggers a cross‑site POST to the token‑refresh endpoint.

Generated by OpenCVE AI on June 24, 2026 at 09:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later, which sets the Secure and SameSite flags for the refresh‑token cookie.
  • Serve the application only over HTTPS to prevent network interception of the cookie.
  • Apply additional CSRF safeguards such as a CSRF token or WAF rules on the token‑refresh endpoint to block cross‑site POSTs.

Generated by OpenCVE AI on June 24, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f74w-272x-mqcv NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Refresh Token Cookie Set Without `Secure` and `SameSite` Flags
Weaknesses CWE-614
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T19:15:39.836Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46550

cve-icon Vulnrichment

Updated: 2026-06-24T19:15:28.990Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses
  • CWE-614

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute