GHSA-g72g-r7m4-9x4g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g72g-r7m4-9x4g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-g72g-r7m4-9x4g/GHSA-g72g-r7m4-9x4g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g72g-r7m4-9x4g
- Aliases
-
- CVE-2026-53926
- Published
- 2026-06-05T16:43:09Z
- Modified
- 2026-06-12T19:30:08.473757615Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- NocoDB: OAuth Tokens Persist Through Security Events
- Details
-
Summary
OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out.
Details
revokeAllOAuthTokensByUserin the users service was an empty stub being called frompasswordChange,passwordForgot, andpasswordReset. It now delegates toOAuthToken.revokeAllByUser(userId), which deletes the rows and invalidates the related auth caches. All three reset/recovery flows now consistently revoke refresh tokens (GHSA-r989-7g3j-wjhw), OAuth tokens (this advisory), and rotatetoken_version.Impact
Persistent unauthorized access through previously issued OAuth tokens after a documented security event (password change, forgot, or reset).
Credit
This issue was reported by @bugbunny-research.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-613" ], "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2026-06-05T16:43:09Z" }- References
Affected packages
npm / nocodb
Package
- Name
- nocodb
- View open source insights on deps.dev
- Purl
- pkg:npm/nocodb