Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.9
NocoDB: Attacker Keeps Access After Password Reset
CVE-2026-28396
GHSA-x4vh-j75g-268g
Summary
A flaw in NocoDB's password reset process lets an attacker keep access to a user's account even after the user resets their password. This is a security risk because an attacker who already has a stolen refresh token can keep using it until it expires. To fix this, NocoDB users should update to the latest version of the software to ensure their account security is protected.
What to do
- Update pranavxc nocodb to version 0.301.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| pranavxc | nocodb | <= 0.301.2 | 0.301.3 |
| nocodb | nocodb | <= 0.301.3 | – |
Original title
NocoDB's Refresh Tokens Not Revoked on Password Reset
Original description
### Summary
The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.
### Details
`passwordReset()` in `users.service.ts` updated `token_version` (invalidating JWTs) but did not call `UserRefreshToken.deleteAllUserToken()`. The `refreshToken()` method only checked token existence, not `token_version`. Both `passwordChange()` and `signOut()` correctly deleted all refresh tokens.
### Impact
An attacker who previously obtained a refresh token retains access after password reset until the token expires.
### Credit
This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).
The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.
### Details
`passwordReset()` in `users.service.ts` updated `token_version` (invalidating JWTs) but did not call `UserRefreshToken.deleteAllUserToken()`. The `refreshToken()` method only checked token existence, not `token_version`. Both `passwordChange()` and `signOut()` correctly deleted all refresh tokens.
### Impact
An attacker who previously obtained a refresh token retains access after password reset until the token expires.
### Credit
This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).
nvd CVSS3.1
6.5
nvd CVSS4.0
4.9
Vulnerability type
CWE-613
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026