CVE-2026-53926 | NocoDB is software for building databases as spreadsheets. P… | CVSS 6.3 MEDIUM

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1.

Metadata

CVE ID: CVE-2026-53926
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-11 15:46 UTC
Published: 2026-06-23 20:08 UTC
Last updated: 2026-06-23 20:08 UTC
Primary CWE: CWE-613
CWE-613: Insufficient Session Expiration
Vendor / Product: nocodb / nocodb
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
nocodb	nocodb	—	< 2026.05.1

Weakness (CWE)

CWE	Source	Description
CWE-613	cna	CWE-613: Insufficient Session Expiration

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (1)

https://github.com/nocodb/nocodb/security/advisories/GHSA-g72g-r7m4-9x4g https://github.com/nocodb/nocodb/security/advisories/GHSA-g72g-r7m4-9x4g