NocoDB is a platform for building database‑like spreadsheets. Prior to the 2026.05.1 release the revokeAllOAuthTokensByUser service was an empty stub that was invoked during passwordChange, passwordForgot, and passwordReset. As a result, OAuth access and refresh tokens were not revoked when a user changed or reset their password, allowing an attacker who had previously obtained a valid OAuth token to continue accessing the system after the user believed they had removed the threat. This flaw effectively bypasses the expected token revocation process and constitutes an authorization bypass consistent with CWE-613.

The vulnerability applies to all releases of NocoDB before 2026.05.1. Users running any pre‑2026.05.1 version are impacted.

The CVSS score of 6.3 classifies the issue as moderate severity. EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating no known widely‑publicized exploits. The likely attack vector is remote use of the application's authentication flows, inferred from the fact that the flaw manifests during password change, reset, or recovery events. An attacker capable of obtaining a valid OAuth token can exploit this bug by triggering a password change, reset, or recovery event, which would normally invalidate the token but, due to the stubbed implementation, leaves it usable. The attack can be performed remotely using normal application flows without special privileges, so while the likelihood of exploitation is not well quantified, the potential for unauthorized access warrants prompt remediation.