DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-G72G-R7M4-9X4G: GHSA-G72G-R7M4-9X4G: Insufficient Session Expiration of OAuth Tokens in NocoDB

#security #cve #cybersecurity #ghsa

GHSA-G72G-R7M4-9X4G: Insufficient Session Expiration of OAuth Tokens in NocoDB

Vulnerability ID: GHSA-G72G-R7M4-9X4G
CVSS Score: 6.3
Published: 2026-06-05

NocoDB is subject to an insufficient session expiration vulnerability where OAuth access and refresh tokens are not invalidated or revoked during security-sensitive actions such as password changes, forgot-password requests, or password resets. This allows an attacker possessing an active OAuth token to maintain unauthorized persistence.

TL;DR

NocoDB fails to revoke OAuth tokens when a user changes or resets their password, allowing pre-existing OAuth grants to retain active API access.

Technical Details

  • CWE ID: CWE-613: Insufficient Session Expiration
  • Attack Vector: Network (AV:N)
  • CVSS Score: 6.3 (Medium)
  • Exploit Status: No public exploit available
  • Vulnerable Versions: <= 2026.05.0
  • Patched Version: 2026.05.1
  • CISA KEV Status: Not Listed

Affected Systems

  • NocoDB
  • nocodb: <= 2026.05.0 (Fixed in: 2026.05.1)

Code Analysis

Commit: 87ab628

Implement OAuthToken.revokeAllByUser to revoke OAuth tokens on password change, reset, and forgot password events.

@@ -0,0 +1,6 @@
+  static async revokeAllByUser(userId: string, ncMeta = Noco.ncMeta) {
+    const tokens = await this.listByUser(userId, ncMeta);
+    if (tokens?.length) {
+      await Promise.all(tokens.map((t) => this.revoke(t.id, ncMeta)));
+    }
+  }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade NocoDB to version 2026.05.1 or later to apply the official fix.
  • Manually delete records from the OAuth token metadata table for compromised users.
  • Implement monitoring to detect API requests authenticated via OAuth after password change/reset events.

Remediation Steps:

  1. Identify vulnerable NocoDB instances running versions <= 2026.05.0.
  2. Apply the update to version 2026.05.1 or newer in your environment.
  3. If update is delayed, retrieve the user ID of compromised accounts and execute target deletions in the metadata database.
  4. Verify that subsequent API requests using previous OAuth tokens are correctly blocked with HTTP 401 Unauthorized.

References

Read the full report for GHSA-G72G-R7M4-9X4G on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)