CVE-2026-46550

Name of the Vulnerable Software and Affected Versions NocoDB (affected versions not specified)

Description The refresh-token cookie is configured with httpOnly: true but lacks the secure flag and the sameSite attribute. The absence of the secure flag allows the cookie to be intercepted over plain HTTP networks. The missing sameSite attribute enables browsers to attach the cookie to cross-site POST requests, facilitating Cross-Site Request Forgery (CSRF) attacks against the token-refresh endpoint. Specifically, the setTokenCookie() function in packages/nocodb/src/services/users/helpers.ts fails to set these attributes. Consequently, the endpoint 'POST /api/v2/auth/token/refresh' reads the cookie unconditionally and returns a new JSON Web Token (JWT) without requiring a CSRF token. Malicious cross-origin pages could trigger a token refresh and potentially capture the new JWT if combined with other vulnerabilities like cross-site scripting (XSS) or open redirects.

Recommendations Update the setTokenCookie() function to include sameSite: 'lax' and set the secure flag to true when the request URL starts with HTTPS. As a temporary workaround, restrict access to the 'POST /api/v2/auth/token/refresh' endpoint to trusted networks or ensure the application is only accessed via HTTPS.