CVE-2026-46554
NocoDB: Stale Auth Cache After API Token Deletion
Description
### Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. ### Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days. ### Impact Tokens revoked through the UI or API continued to grant access during the cache TTL, breaking the operator's expected security guarantee that deletion is immediate. ### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).
How to fix CVE-2026-46554
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2026-46554 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46554.
Affected packages (1)
- from 0, <= 0.301.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |