CVE-2026-28396

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.3

Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset process did not invalidate existing refresh tokens. This allowed an attacker who previously obtained a refresh token to continue creating valid JSON Web Tokens (JWTs) even after the user reset their password. The password reset flow did not revoke existing refresh tokens, enabling continued access with stolen tokens.

Recommendations Update to version 0.301.3 or later.