CVE-2026-53928

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1

Description A stolen refresh token persists after a password-forgot flow, allowing it to be used to generate new JSON Web Tokens (JWTs) even after a user resets their password. While the passwordChange() and passwordReset() functions delete user refresh tokens, the passwordForgot() function only rotates the token version variable and revokes OAuth tokens, failing to call UserRefreshToken.deleteAllUserToken(user.id). Consequently, an attacker with a captured refresh cookie can exchange it for a new access token after the victim completes the recovery process, leading to persistent unauthorized access.

Recommendations Update to version 2026.05.1.