CVE-2026-28396

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28396

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28396.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28396

Aliases

GHSA-x4vh-j75g-268g

Published

2026-03-02T16:18:46.640Z

Modified

2026-03-03T02:57:14.638870Z

Severity

4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

NocoDB: Refresh Tokens Not Revoked on Password Reset

Details

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3.

Database specific

{
    "cwe_ids": [
        "CWE-613"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28396.json"
}

References

Affected packages

Git / github.com/nocodb/nocodb

Affected ranges

Type

GIT

Repo

https://github.com/nocodb/nocodb

Events

Introduced

Fixed

391834484b11c429e4ff5677538b3b2f16ca510d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.301.3"
        }
    ]
}

Affected versions

0.*

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.100.0

0.100.1

0.100.2

0.101.0

0.101.0-beta.0

0.101.2

0.104.1

0.104.2

0.104.3

0.105.0

0.105.1

0.105.2

0.105.3

0.106.0

0.106.0-beta.0

0.106.0-beta.1

0.106.1

0.107.0

0.107.0-beta.0

0.107.0-beta.1

0.107.1

0.107.2

0.107.3

0.107.4

0.107.5

0.108.0

0.108.0-beta.0

0.108.1

0.109.0

0.109.1

0.109.2

0.109.3

0.109.4

0.109.5

0.109.6

0.109.7

0.11.0

0.11.1

0.11.10

0.11.11

0.11.12

0.11.14

0.11.15

0.11.16

0.11.17

0.11.18

0.11.19

0.11.20

0.11.21

0.11.22

0.11.23

0.11.24

0.11.25

0.11.26

0.11.28

0.11.29

0.11.3

0.11.30

0.11.31

0.11.32

0.11.33

0.11.34

0.11.36

0.11.39

0.11.4

0.11.40

0.11.41

0.11.42

0.11.43

0.11.44

0.11.45

0.11.46

0.11.5

0.11.6

0.11.7

0.11.9

0.111.0

0.111.1

0.111.2

0.111.3

0.111.4

0.200.0

0.202.0

0.202.10

0.202.4

0.202.5

0.202.6

0.202.7

0.202.8

0.202.9

0.203.0

0.203.1

0.203.2

0.204.0

0.204.1

0.204.2

0.204.3

0.204.4

0.204.5

0.204.6

0.204.7

0.204.8

0.204.9

0.205.0

0.205.1

0.207.0

0.207.1

0.207.2

0.207.3

0.250.0

0.250.1

0.250.2

0.251.0

0.251.1

0.251.2

0.251.3

0.252.0

0.253.0

0.255.0

0.255.1

0.255.2

0.256.0

0.257.0

0.257.2

0.258.0

0.258.1

0.258.10

0.258.11

0.258.2

0.258.3

0.260.0

0.260.1

0.260.2

0.260.3

0.260.4

0.260.5

0.260.6

0.260.7

0.261.0

0.262.0

0.262.1

0.262.2

0.262.3

0.262.4

0.262.5

0.263.0

0.263.1

0.263.2

0.263.3

0.263.4

0.263.6

0.263.7

0.263.8

0.264.0

0.264.1

0.264.2

0.264.3

0.264.4

0.264.6

0.264.7

0.264.8

0.264.9

0.265.0

0.265.1

0.300.0

0.301.0

0.301.1

0.301.2

0.4.5

0.4.8

0.4.9

0.80.0

0.81.0

0.81.1

0.82.0

0.83.0

0.83.1

0.83.2

0.83.3

0.83.4

0.83.5

0.83.6

0.83.8

0.84.1

0.84.10

0.84.12

0.84.13

0.84.14

0.84.15

0.84.16

0.84.2

0.84.3

0.84.6

0.84.7

0.84.8

0.84.9

0.9

0.90.0

0.90.1

0.90.10

0.90.11

0.90.2

0.90.3

0.90.4

0.90.5

0.90.7

0.90.8

0.90.9

0.91.0

0.91.1

0.91.10

0.91.6

0.91.7

0.91.8

0.91.9

0.92.0

0.92.1

0.92.2

0.92.3

0.92.4

0.96.0

0.96.1

0.96.2

0.96.4

0.97.0

0.98.1

0.98.2

0.98.3

0.98.4

0.99.0

0.99.1

0.99.2

v0.*

v0.10.0

v0.4.2

v0.4.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28396.json"