GHSA-r989-7g3j-wjhw

Suggest an improvement
Source
https://github.com/advisories/GHSA-r989-7g3j-wjhw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-r989-7g3j-wjhw/GHSA-r989-7g3j-wjhw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r989-7g3j-wjhw
Aliases
  • CVE-2026-53928
Published
2026-06-17T14:07:33Z
Modified
2026-06-17T14:15:07.777993206Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
NocoDB: Refresh Tokens Persist Through Password Recovery
Details

Summary

A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password.

Details

passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens — it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow.

Impact

Persistent unauthorized access after password recovery. Once a refresh token leaks, the documented "Forgot password" recovery flow did not in fact revoke the attacker's session.

Credit

This issue was reported by @bugbunny-research.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-613"
    ],
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2026-06-17T14:07:33Z"
}
References

Affected packages

npm / nocodb

Package

Name
nocodb
View open source insights on deps.dev
Purl
pkg:npm/nocodb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.301.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-r989-7g3j-wjhw/GHSA-r989-7g3j-wjhw.json"