Token Exchange Vulnerability in NocoDB Software by NocoDB
CVE-2026-47386

6.3MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-47386?

NocoDB, a platform designed to transform databases into spreadsheet interfaces, has a vulnerability that allows for multiple token-exchange requests using the same OAuth authorization code. This flaw permits each request to generate a valid (access_token, refresh_token) pair, violating the expected single-use guarantee provided by the proof key for code exchange (PKCE) mechanism. This vulnerability has been addressed in version 2026.05.1.

Affected Version(s)

nocodb < 2026.05.1

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47386 Data

JSON

Nocodb

What is CVE-2026-47386?

Affected Version(s)

References

CVSS V4

Timeline