MEDIUM

GHSA-r989-7g3j-wjhw

NocoDB: Refresh Tokens Persist Through Password Recovery

Details

### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password.

### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated `token_version` and revoked OAuth tokens — it did not call `UserRefreshToken.deleteAllUserToken(user.id)`. An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow.

### Impact Persistent unauthorized access after password recovery. Once a refresh token leaks, the documented "Forgot password" recovery flow did not in fact revoke the attacker's session.

### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / nocodb

Introduced in: 0

No fixed version published yet for nocodb (npm). Pin to a known-safe version or switch to an alternative.

Details

Are you affected?

Affected packages

References