GHSA-g72g-r7m4-9x4gMedium

NocoDB: OAuth Tokens Persist Through Security Events

Published
June 5, 2026
Last Modified
June 12, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out.

Details

revokeAllOAuthTokensByUser in the users service was an empty stub being called from passwordChange, passwordForgot, and passwordReset. It now delegates to OAuthToken.revokeAllByUser(userId), which deletes the rows and invalidates the related auth caches. All three reset/recovery flows now consistently revoke refresh tokens (GHSA-r989-7g3j-wjhw), OAuth tokens (this advisory), and rotate token_version.

Impact

Persistent unauthorized access through previously issued OAuth tokens after a documented security event (password change, forgot, or reset).

Credit

This issue was reported by @bugbunny-research.

🎯 Affected products1

  • npm/nocodb:<= 2026.05.0

🔗 References (3)