CVE-2026-28396 Overview
NocoDB, an open-source platform for building databases as spreadsheets, contains an authentication vulnerability in versions prior to 0.301.3. The password reset flow fails to revoke existing refresh tokens, enabling an attacker who previously obtained a valid refresh token to continue generating valid JSON Web Tokens (JWTs) even after the victim resets their password. This session management flaw undermines the security purpose of password resets and allows persistent unauthorized access.
Critical Impact
An attacker with a stolen refresh token can maintain indefinite access to a victim's NocoDB account, bypassing password reset protections and continuing to mint valid authentication tokens.
Affected Products
- NocoDB versions prior to 0.301.3
- Self-hosted NocoDB instances with local authentication enabled
- NocoDB deployments using JWT-based authentication
Discovery Timeline
- 2026-03-02 - CVE-2026-28396 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-28396
Vulnerability Analysis
This vulnerability is classified under CWE-613 (Insufficient Session Expiration). The core issue lies in NocoDB's session management architecture, where the password reset mechanism operates independently from the refresh token lifecycle. When a user initiates a password reset to regain control of a potentially compromised account, the system fails to invalidate previously issued refresh tokens stored in the attacker's possession.
In JWT-based authentication systems, refresh tokens are long-lived credentials that allow clients to obtain new access tokens without re-authenticating. A properly implemented password reset should serve as a complete session invalidation event, revoking all existing authentication credentials including refresh tokens. NocoDB's flawed implementation allows the persistence of refresh tokens across password changes, creating a window for continued account compromise.
Root Cause
The root cause stems from incomplete session invalidation during the password reset workflow. NocoDB's authentication system did not implement a mechanism to track and revoke refresh tokens associated with a user account when their password is changed. The refresh token validation logic only verified token signatures and expiration without checking against a revocation list or the timestamp of the last password change.
Attack Vector
An attacker exploiting this vulnerability must first obtain a valid refresh token through methods such as:
- Session hijacking - Intercepting tokens via man-in-the-middle attacks or compromised networks
- Credential theft - Accessing tokens from browser storage, logs, or backups
- Phishing - Social engineering attacks that capture authentication tokens
Once in possession of a refresh token, even if the victim becomes aware of the compromise and resets their password, the attacker retains the ability to exchange the stolen refresh token for new access tokens. This creates a persistent backdoor that circumvents the victim's remediation efforts.
The attack flow exploits the disconnect between password credentials and token validity. When the victim resets their password believing they have secured their account, the attacker's previously captured refresh token remains valid in the authentication system, allowing continued unauthorized API access to the victim's NocoDB databases and workspaces.
Detection Methods for CVE-2026-28396
Indicators of Compromise
- Multiple active sessions or refresh tokens for a single user account, especially after password reset events
- API access patterns from unusual IP addresses or geographic locations following a password reset
- JWT token generation requests using refresh tokens issued before the most recent password change
- Authentication logs showing successful token refresh operations from previously unknown client identifiers
Detection Strategies
- Monitor authentication logs for refresh token usage timestamps that predate password reset events
- Implement alerting on successful token refresh operations from IP addresses not matching the password reset origin
- Compare refresh token issuance timestamps against password change timestamps in user audit logs
- Review session management logs for users who recently performed password resets
Monitoring Recommendations
- Enable comprehensive logging of all refresh token operations including creation, usage, and invalidation
- Implement real-time monitoring for token refresh requests following password reset events
- Track geographic and device fingerprint anomalies in authentication patterns
- Configure alerts for multiple concurrent sessions originating from disparate locations
How to Mitigate CVE-2026-28396
Immediate Actions Required
- Upgrade NocoDB to version 0.301.3 or later immediately
- Force logout all active sessions for users who have performed password resets on vulnerable versions
- Manually invalidate all existing refresh tokens and require users to re-authenticate
- Review audit logs to identify accounts that may have been compromised through this vulnerability
Patch Information
NocoDB has addressed this vulnerability in version 0.301.3. The fix ensures that all existing refresh tokens are invalidated when a user resets their password, preventing the continued use of previously issued tokens. Organizations should upgrade to this version or later to receive the security fix.
For detailed patch information, refer to the NocoDB Release 0.301.3 and the GitHub Security Advisory GHSA-x4vh-j75g-268g.
Workarounds
- Implement network-level access controls to restrict NocoDB API access to trusted IP ranges
- Configure shorter refresh token expiration times to limit the window of potential exploitation
- Deploy a reverse proxy or API gateway that can enforce additional session validation checks
- Require multi-factor authentication to reduce the impact of token theft scenarios
- Monitor for and manually revoke suspicious sessions through administrative interfaces
# Configuration example - Force token refresh for all users after upgrade
# This invalidates existing tokens and requires re-authentication
# For Docker deployments, restart with fresh token secrets
docker-compose down
# Rotate JWT secret to invalidate all existing tokens
export NC_AUTH_JWT_SECRET=$(openssl rand -hex 32)
docker-compose up -d
# Verify the new version is running
docker exec nocodb_app cat package.json | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
