CVE-2026-28396

EPSS 0.18%
Veröffentlicht 02.03.2026 16:18:46
Zuletzt bearbeitet 03.03.2026 19:01:16
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

NocoDB: Refresh Tokens Not Revoked on Password Reset

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nocodb ≫ Nocodb Version < 0.301.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.078

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	4.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/nocodb/nocodb/releases/tag/0.301.3

Product

Release Notes

https://github.com/nocodb/nocodb/security/advisories/GHSA-x4vh-j75g-268g

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-28396

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28396

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28396

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-28396