CVE-2026-46554 in NocoDB
Summary
by MITRE • 06/23/2026
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days. This vulnerability is fixed in 2026.04.4.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability in NocoDB represents a critical authorization flaw that undermines the security of API token management within the application. This issue stems from a fundamental design oversight in how the system handles authentication cache invalidation during token deletion operations. The problem manifests as a temporal window where deleted tokens remain functional despite being removed from the database, creating a persistent security risk that can be exploited by malicious actors who gain access to compromised tokens.
The technical root cause of this vulnerability lies in the improper implementation of the authentication cache invalidation mechanism. When API tokens are deleted from the database, the system correctly removes the corresponding database row but fails to invalidate the associated cache entry that was indexed by token value. This design flaw creates a disconnect between the persistent storage layer and the in-memory cache layer, allowing the authentication middleware to continue accepting requests bearing the deleted token until the cache entry naturally expires. The vulnerability is classified as a cache inconsistency issue that directly violates proper access control mechanisms.
The operational impact of this vulnerability extends beyond simple unauthorized access, creating a window of opportunity for attackers to exploit deleted tokens for up to three days. This prolonged period of effectiveness significantly increases the attack surface and can result in unauthorized data access, modification, or deletion operations. The vulnerability affects all API token-based authentication flows within NocoDB, potentially compromising sensitive database operations and user data that relies on token-based authorization. Organizations using affected versions face a substantial risk profile where compromised tokens can remain active long after their intended retirement.
The security implications of this vulnerability align with several established threat patterns documented in the cybersecurity community, particularly those related to credential lifecycle management failures. This issue demonstrates a clear violation of the principle of least privilege and proper access control enforcement, as deleted credentials continue to maintain valid authentication state. The vulnerability can be categorized under CWE-284 Access Control Issues and relates to ATT&CK technique T1566 Credential Access through compromised authentication tokens. Organizations should implement immediate mitigations including upgrading to version 2026.04.4 or later, implementing additional monitoring for unauthorized API access patterns, and establishing more frequent cache expiration policies as temporary compensating controls while ensuring proper patch deployment across all affected systems.