CVE-2026-47386
NocoDB: OAuth Authorization Code Race Condition
描述
### Summary Two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid `(access_token, refresh_token)` pair, breaking the single-use guarantee that PKCE relies on. ### Details The token-exchange flow read `is_used` and called `markAsUsed` as an unconditional update at the end of the path. A new `OAuthAuthorizationCode.claimByCode` method now performs an atomic compare-and-swap (`WHERE code = ? AND is_used = false`) and is called immediately before `OAuthToken.insert`, after redirect-URI, PKCE, and client authentication have all succeeded. Only the first concurrent caller's `UPDATE` wins; the rest see `invalid_grant: Authorization code has already been used`. ### Impact An attacker who has observed an authorization code and the corresponding PKCE verifier (for example through a malicious OAuth-aware client or by racing a real exchange) could obtain a long-lived refresh token in addition to the legitimate one. ### Credit This issue was reported by [@eddieran](https://github.com/eddieran).
如何修補 CVE-2026-47386
要修補 CVE-2026-47386,請將受影響套件升級到下列已修補版本。
- —升級至 2026.05.1 或更新版本
CVE-2026-47386 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-47386 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 2026.05.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |