Refresh Token Vulnerability in NocoDB Software by NocoDB
CVE-2026-53928

6.3MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-53928?

NocoDB, a software that facilitates database management in a spreadsheet-like environment, harbored a significant vulnerability that allowed an attacker to exploit a stolen refresh token. The issue arose when a user went through the password recovery process; while their refresh tokens were deleted upon password change and reset, the password forgotten flow only rotated the token version without revoking the refresh token. As a result, an attacker with access to the captured refresh token could still generate new JSON Web Tokens (JWTs) even after the user's password had been changed. This vulnerability was addressed and mitigated in the release of version 2026.05.1.

Affected Version(s)

nocodb < 2026.05.1

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-53928 Data

JSON

Nocodb

What is CVE-2026-53928?

Affected Version(s)

References

CVSS V4

Timeline