MEDIUM

GHSA-x4vh-j75g-268g

NocoDB's Refresh Tokens Not Revoked on Password Reset

Details

### Summary The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.

### Details `passwordReset()` in `users.service.ts` updated `token_version` (invalidating JWTs) but did not call `UserRefreshToken.deleteAllUserToken()`. The `refreshToken()` method only checked token existence, not `token_version`. Both `passwordChange()` and `signOut()` correctly deleted all refresh tokens.

### Impact An attacker who previously obtained a refresh token retains access after password reset until the token expires.

### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / nocodb

Introduced in: 0 Fixed in: 0.301.3

Fix npm install nocodb@0.301.3

References

https://github.com/nocodb/nocodb/security/advisories/GHSA-x4vh-j75g-268g [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-28396 [ADVISORY]
https://github.com/nocodb/nocodb [PACKAGE]
https://github.com/nocodb/nocodb/releases/tag/0.301.3 [WEB]