Impact
NocoDB's authentication subsystem fails to invalidate deleted API tokens in the in-memory cache. Prior to version 2026.04.4, deleting a token only removed its database record, but the corresponding token-value keyed entry remained cached. As a result, the middleware continued to accept the revoked token until the cache entry aged out, creating a revocation window of up to three days. This flaw, classified as CWE-613 (failure to properly invalidate revoked authentication credentials), lets anyone who can delete a token—either legitimately or through a compromised user session—continue to access the API and underlying data, effectively bypassing authorization controls until the stale cache entry expires. The issue is fixed in 2026.04.4.
Affected Systems
NocoDB is affected in all releases before version 2026.04.4. The vulnerability exists in the core authentication subsystem of NocoDB and impacts any deployment that relies on API tokens for access. Deployments using this software should verify that their version is 2026.04.4 or newer.
Risk and Exploitability
The CVSS score of 2.3 indicates low overall severity, and the vulnerability is not currently listed in the CISA KEV catalog. The EPSS score is not available, but the lack of inclusion in KEV and the low CVSS suggest a limited likelihood of exploitation in the wild. The attack vector is inferred to be remote, via the NocoDB web interface or API, since an attacker would need the ability to delete a token to maintain the stale cache. A compromised user or application with admin privileges could trigger deletion, leaving the token valid for up to three days.
OpenCVE Enrichment
Github GHSA