Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days. This vulnerability is fixed in 2026.04.4.
Published: 2026-06-23
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB's authentication middleware mistakenly keeps a deleted API token in its cache, allowing continued use until the cache expires. The flaw arises when the token deletion endpoint removes the row from the database but fails to evict the token entry from the cache, creating a revocation window of up to three days. An attacker who can delete a token—whether by legitimate use or by compromising a user session—may still exploit the token to access the API and the underlying data, effectively bypassing authorization controls until the cached entry ages out.

Affected Systems

NocoDB is affected in all releases before version 2026.04.4. The vulnerability exists in the core authentication subsystem of NocoDB and impacts any deployment that relies on API tokens for access. Deployments using this software should verify that their version is 2026.04.4 or newer.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and the vulnerability is not currently listed in the CISA KEV catalog. The EPSS score is not available, but the lack of inclusion in KEV and the low CVSS suggest a limited likelihood of exploitation in the wild. The attack vector is inferred to be remote, via the NocoDB web interface or API, since an attacker would need the ability to delete a token to maintain the stale cache. A compromised user or application with admin privileges could trigger deletion, leaving the token valid for up to three days.

Generated by OpenCVE AI on June 24, 2026 at 02:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NocoDB 2026.04.4 or later, which clears the auth cache on token deletion.
  • Review and rotate all existing API tokens to ensure no residual cached tokens remain.
  • If possible, restart the NocoDB service or clear the in‑memory auth cache to proactively remove stale entries.

Generated by OpenCVE AI on June 24, 2026 at 02:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f76x-f9vj-92jv NocoDB: Stale Auth Cache After API Token Deletion
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days. This vulnerability is fixed in 2026.04.4.
Title NocoDB: Stale Auth Cache After API Token Deletion
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:30:46.361Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46554

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration