Cross-Site Request Forgery Risk in NocoDB Database Software
CVE-2026-46550

5.4MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-46550?

NocoDB, a platform designed to create databases in a spreadsheet format, has a vulnerability in its handling of refresh-token cookies prior to version 2026.04.1. Specifically, the refresh-token cookie was configured with the httpOnly attribute, but it lacked the secure flag and the sameSite attribute. This oversight allows the cookie to be transmitted over unencrypted HTTP connections, making it susceptible to interception in network traffic. Additionally, without the sameSite attribute, malicious websites can exploit this flaw by sending cross-origin requests that could lead to CSRF attacks targeting the token-refresh endpoint, potentially compromising user sessions.

Affected Version(s)

nocodb < 2026.04.1

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46550 Data

JSON

Nocodb

What is CVE-2026-46550?

Affected Version(s)

References

CVSS V3.1

Timeline