CVE-2026-28396 MEDIUM

CVE-2026-28396: NocoDB: Refresh Tokens Not Revoked on Password Reset

Vendor Nocodb
Product nocodb
Weakness CWE-613 · Insufficient session expiration
Published March 2, 2026
Last update March 3, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3.

Key dates

02Disclosure timeline

March 2, 2026 CVE published
March 3, 2026 Record updated