API Authentication Flaw in NocoDB Affects User Token Management
CVE-2026-46554

2.3LOW

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-46554?

NocoDB, a platform that enables users to manage databases as spreadsheets, is impacted by an authentication flaw that affects how API tokens are handled. Prior to the update in version 2026.04.4, deleted API tokens remained valid until their cached entry expired, resulting from a failure to invalidate the token in the authentication cache immediately upon deletion. This oversight allowed unauthorized requests to be accepted for up to three days after token deletion. The vulnerability was addressed in the subsequent software update, which improved token revocation processes.

Affected Version(s)

nocodb < 2026.04.4

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46554 Data

JSON

Nocodb

What is CVE-2026-46554?

Affected Version(s)

References

CVSS V4

Timeline