NocoDB: Refresh Tokens Persist Through Password Recovery

When

2026-06-17 14:07 UTC

Where

Global (internet)

Category

cyber_advisory · npm

### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. ### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated `token_version` and revoked OAuth tokens — it did not call `UserRefreshToken.deleteAllUserToken(user.id)`. An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow. ### Impact Persistent unauthorized access after password recovery. Once a refresh token leaks, the documented "Forgot password" recovery flow did not in fact revoke the attacker's session. ### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-17 14:07 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
  Shared actorsInvolves npm/nocodb, npm/nocodb· 84% match
• NocoDB: Server-Side Request Forgery via Base Migration URL
  Shared actorsInvolves npm/nocodb, npm/nocodb· 84% match
• NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
  Shared actorsInvolves npm/nocodb, npm/nocodb· 84% match
• NocoDB: Stored Cross-Site Scripting via Secure Attachment
  Shared actorsInvolves npm/nocodb, npm/nocodb· 84% match

← Back to the live map