CVE-2026-28396
EPSS 0.04%NocoDB's Refresh Tokens Not Revoked on Password Reset
描述
### Summary The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. ### Details `passwordReset()` in `users.service.ts` updated `token_version` (invalidating JWTs) but did not call `UserRefreshToken.deleteAllUserToken()`. The `refreshToken()` method only checked token existence, not `token_version`. Both `passwordChange()` and `signOut()` correctly deleted all refresh tokens. ### Impact An attacker who previously obtained a refresh token retains access after password reset until the token expires. ### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).
受影響套件(1)
- npm/nocodbfrom 0, < 0.301.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |