Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. This vulnerability is fixed in 2026.05.1.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB, a spreadsheet‑style database platform, has a race condition in its token‑exchange endpoint that allows two concurrent requests using the same OAuth authorization code to each generate a distinct valid access_token and refresh_token pair. This flaw, identified as CWE‑362, breaks the single‑use guarantee expected by PKCE and permits the creation of multiple usable tokens from one authorization code.

Affected Systems

All NocoDB instances running versions prior to 2026.05.1 are affected; the issue is fixed in version 2026.05.1.

Risk and Exploitability

The CVSS score of 6.3 classifies the vulnerability as moderate. EPSS information is not available and the flaw is not listed in the CISA KEV catalog. An attacker can exploit the race condition by issuing two simultaneous token‑exchange requests that reuse the same authorization code; no special permissions are required beyond the ability to connect to the NocoDB service.

Generated by OpenCVE AI on June 24, 2026 at 11:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.05.1 or later to eliminate the race condition.
  • If an immediate upgrade is not possible, configure the system to serialize or otherwise restrict concurrent token‑exchange requests, ensuring a strict single‑use check on authorization codes.
  • Continuously review OAuth token issuance logs for duplicate or unusually high token generation activity to detect potential exploitation.

Generated by OpenCVE AI on June 24, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8m7c-hf24-5g47 NocoDB: OAuth Authorization Code Race Condition
History

Wed, 24 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. This vulnerability is fixed in 2026.05.1.
Title NocoDB: OAuth Authorization Code Race Condition
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:12:13.596Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47386

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:45:02Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')