SB2026052308 - Multiple vulnerabilities in NocoDB

Description

This security bulletin contains information about 2 vulnerabilities.

1) Use of Web Browser Cache Containing Sensitive Information (CVE-ID: CVE-2026-46554)

CWE-ID: CWE-525 - Use of Web Browser Cache Containing Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to retain access using a deleted API token.

The vulnerability exists due to improper cache invalidation in the auth cache when processing API token deletion. A remote user can continue sending requests with a previously deleted token to retain access using a deleted API token.

Deleted tokens may continue to be accepted until the cache entry expires, creating a revocation delay of up to three days.

2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-46551)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the v1/v2 attachment API upload-by-url path when downloading files from user-supplied URLs. A remote user can submit a URL referencing an arbitrarily large file to cause a denial of service.

The issue can exhaust disk space and lead to blocked database writes, log rotation failures, and application crashes.

Remediation

Install update from vendor's website.

References

• https://github.com/nocodb/nocodb/security/advisories/GHSA-f76x-f9vj-92jv
• https://github.com/nocodb/nocodb/security/advisories
• https://github.com/nocodb/nocodb/security/advisories/GHSA-99vc-2jx2-688p