NocoDB's Refresh Tokens Not Revoked on Password Reset

GHSA-x4vh-j75g-268g · CVE-2026-28396

Published Mar 2, 2026 · Modified Mar 4, 2026

Description

Summary

The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.

Details

passwordReset() in users.service.ts updated token_version (invalidating JWTs) but did not call UserRefreshToken.deleteAllUserToken(). The refreshToken() method only checked token existence, not token_version. Both passwordChange() and signOut() correctly deleted all refresh tokens.

Impact

An attacker who previously obtained a refresh token retains access after password reset until the token expires.

Credit

This issue was reported by @bugbunny-research (bugbunny.ai).

References

WEB https://github.com/nocodb/nocodb/security/advisories/GHSA-x4vh-j75g-268g
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-28396
PACKAGE https://github.com/nocodb/nocodb
WEB https://github.com/nocodb/nocodb/releases/tag/0.301.3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes