GHSA-g72g-r7m4-9x4g: NocoDB: OAuth Tokens Persist Through Security Events

June 5, 2026 (updated June 12, 2026)

OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out.

References

github.com/advisories/GHSA-g72g-r7m4-9x4g
github.com/nocodb/nocodb/releases/tag/2026.05.1
github.com/nocodb/nocodb/security/advisories/GHSA-g72g-r7m4-9x4g
nvd.nist.gov/vuln/detail/CVE-2026-53926

Code Behaviors & Features

Detect and mitigate GHSA-g72g-r7m4-9x4g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →