LOW

GHSA-f76x-f9vj-92jv

NocoDB: Stale Auth Cache After API Token Deletion

Details

### Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time.

### Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days.

### Impact Tokens revoked through the UI or API continued to grant access during the cache TTL, breaking the operator's expected security guarantee that deletion is immediate.

### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / nocodb

Introduced in: 0

No fixed version published yet for nocodb (npm). Pin to a known-safe version or switch to an alternative.

Details

Are you affected?

Affected packages

References