GHSA-F74W-272X-MQCV

Vulnerability from github – Published: 2026-05-21 20:35 – Updated: 2026-05-21 20:35
VLAI
Summary
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
Details

Summary

The refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint.

Details

In packages/nocodb/src/services/users/helpers.ts, setTokenCookie produced the cookie with only httpOnly, an expires date, and an optional domain from NC_BASE_HOST_NAME — no secure, no sameSite. The refresh endpoint POST /api/v2/auth/token/refresh (auth.controller.ts) read the cookie unconditionally and returned a new JWT, with no CSRF token.

The fix sets httpOnly: true, sameSite: 'lax', and conditional secure: req.ncSiteUrl.startsWith('https') so the flag is active under HTTPS while still functional on plain-HTTP localhost development.

This is distinct from GHSA-x4vh-j75g-268g (refresh-token lifecycle on password reset) — different root cause, different attack vector.

Impact

  • Cookie interception on plain HTTP networks (no secure).
  • Cross-site refresh: malicious cross-origin pages could trigger token refresh and, combined with any same-origin XSS or open-redirect on the NocoDB domain, capture the new JWT.
  • Refresh tokens have multi-day expiry (NC_REFRESH_TOKEN_EXP_IN_DAYS), so the exposure window is long.

Credit

This issue was reported by @ik0z.

Severity
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46550"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T20:35:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; without `sameSite`, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint.\n\n### Details\n\nIn `packages/nocodb/src/services/users/helpers.ts`, `setTokenCookie` produced the cookie with only `httpOnly`, an `expires` date, and an optional `domain` from `NC_BASE_HOST_NAME` \u2014 no `secure`, no `sameSite`. The refresh endpoint `POST /api/v2/auth/token/refresh` (`auth.controller.ts`) read the cookie unconditionally and returned a new JWT, with no CSRF token.\n\nThe fix sets `httpOnly: true`, `sameSite: \u0027lax\u0027`, and conditional `secure: req.ncSiteUrl.startsWith(\u0027https\u0027)` so the flag is active under HTTPS while still functional on plain-HTTP localhost development.\n\nThis is distinct from GHSA-x4vh-j75g-268g (refresh-token lifecycle on password reset) \u2014 different root cause, different attack vector.\n\n### Impact\n\n- Cookie interception on plain HTTP networks (no `secure`).\n- Cross-site refresh: malicious cross-origin pages could trigger token refresh and, combined with any same-origin XSS or open-redirect on the NocoDB domain, capture the new JWT.\n- Refresh tokens have multi-day expiry (`NC_REFRESH_TOKEN_EXP_IN_DAYS`), so the exposure window is long.\n\n### Credit\n\nThis issue was reported by [@ik0z](https://github.com/ik0z).",
  "id": "GHSA-f74w-272x-mqcv",
  "modified": "2026-05-21T20:35:24Z",
  "published": "2026-05-21T20:35:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-f74w-272x-mqcv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.