CVE-2026-28396 in NocoDB
Summary
by MITRE • 03/02/2026
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/04/2026
The vulnerability identified as CVE-2026-28396 affects NocoDB, a database management system that operates on a spreadsheet-like interface. This security flaw exists in versions prior to 0.301.3 and specifically targets the password reset functionality within the application's authentication mechanism. The issue represents a critical weakness in the token management system that undermines the security of user sessions and access controls.
The technical flaw manifests in the password reset flow where the system fails to properly invalidate existing refresh tokens when a user resets their password. This oversight creates a persistent security vulnerability that allows attackers who have previously compromised a user's refresh token to continue generating valid JSON Web Tokens even after the legitimate user has changed their password. The refresh token mechanism in NocoDB operates on an assumption that token revocation occurs properly during authentication changes, but this assumption proves incorrect in affected versions.
From an operational perspective, this vulnerability significantly weakens the security posture of NocoDB installations by enabling post-compromise persistence. An attacker who has obtained a refresh token through various means such as network interception, credential theft, or other initial compromise techniques can maintain access to the system indefinitely. The security impact extends beyond simple unauthorized access as it undermines the principle of least privilege and allows for extended periods of unauthorized activity without detection. This vulnerability directly violates security best practices for session management and token lifecycle control.
The mitigation strategy requires immediate deployment of NocoDB version 0.301.3 or later, which implements proper refresh token revocation during password reset operations. Organizations should also consider implementing additional monitoring for unusual authentication patterns and token usage. Security teams should conduct thorough audits of existing user sessions and consider forced session invalidation for all users. The vulnerability aligns with CWE-613, which addresses insufficient session expiration, and maps to ATT&CK technique T1566 for credential access and T1078 for valid accounts. Organizations should also review their token management policies and consider implementing additional security controls such as device trust verification and multi-factor authentication to reduce the impact of such vulnerabilities.