GHSA-f74w-272x-mqcv

Suggest an improvement
Source
https://github.com/advisories/GHSA-f74w-272x-mqcv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-f74w-272x-mqcv/GHSA-f74w-272x-mqcv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f74w-272x-mqcv
Aliases
  • CVE-2026-46550
Published
2026-05-21T20:35:24Z
Modified
2026-05-21T20:45:09.207448710Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
Details

Summary

The refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint.

Details

In packages/nocodb/src/services/users/helpers.ts, setTokenCookie produced the cookie with only httpOnly, an expires date, and an optional domain from NC_BASE_HOST_NAME — no secure, no sameSite. The refresh endpoint POST /api/v2/auth/token/refresh (auth.controller.ts) read the cookie unconditionally and returned a new JWT, with no CSRF token.

The fix sets httpOnly: true, sameSite: 'lax', and conditional secure: req.ncSiteUrl.startsWith('https') so the flag is active under HTTPS while still functional on plain-HTTP localhost development.

This is distinct from GHSA-x4vh-j75g-268g (refresh-token lifecycle on password reset) — different root cause, different attack vector.

Impact

  • Cookie interception on plain HTTP networks (no secure).
  • Cross-site refresh: malicious cross-origin pages could trigger token refresh and, combined with any same-origin XSS or open-redirect on the NocoDB domain, capture the new JWT.
  • Refresh tokens have multi-day expiry (NC_REFRESH_TOKEN_EXP_IN_DAYS), so the exposure window is long.

Credit

This issue was reported by @ik0z.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T20:35:24Z",
    "severity": "MODERATE"
}
References

Affected packages

npm / nocodb

Package

Name
nocodb
View open source insights on deps.dev
Purl
pkg:npm/nocodb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.301.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-f74w-272x-mqcv/GHSA-f74w-272x-mqcv.json"