GHSA-F76X-F9VJ-92JV

Vulnerability from github – Published: 2026-05-21 20:39 – Updated: 2026-05-21 20:39
VLAI
Summary
NocoDB: Stale Auth Cache After API Token Deletion
Details

Summary

Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time.

Details

The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days.

Impact

Tokens revoked through the UI or API continued to grant access during the cache TTL, breaking the operator's expected security guarantee that deletion is immediate.

Credit

This issue was reported by @bugbunny-research.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T20:39:53Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nDeleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time.\n\n### Details\nThe API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days.\n\n### Impact\nTokens revoked through the UI or API continued to grant access during the cache TTL, breaking the operator\u0027s expected security guarantee that deletion is immediate.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).",
  "id": "GHSA-f76x-f9vj-92jv",
  "modified": "2026-05-21T20:39:54Z",
  "published": "2026-05-21T20:39:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-f76x-f9vj-92jv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB: Stale Auth Cache After API Token Deletion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…