CVE-2026-46550 nocodb CVE debrief

Who should care

Defenders and administrators using NocoDB should be aware of this vulnerability and take steps to mitigate it. This includes reviewing their inventory of NocoDB instances and ensuring they are running version 2026.04.1 or later. Additionally, defenders should monitor for potential CSRF attacks against the token-refresh endpoint.

Technical summary

The refresh-token cookie in NocoDB was set with httpOnly: true but lacked both the secure flag and the sameSite attribute. This configuration allows an attacker to intercept the cookie over plain HTTP and use it in cross-site POSTs to perform CSRF attacks against the token-refresh endpoint. The vulnerability has a CVSS score of 5.4 and is classified as medium severity. The issue was addressed in version 2026.04.1.

Defensive priority

Defenders should prioritize updating NocoDB instances to version 2026.04.1 or later. Additionally, defenders should review their configurations to ensure that NocoDB instances are not exposed to untrusted networks or users.

Recommended defensive actions

• Update NocoDB instances to version 2026.04.1 or later.
• Review inventory of NocoDB instances and ensure they are running the patched version.
• Monitor for potential CSRF attacks against the token-refresh endpoint.
• Ensure NocoDB instances are not exposed to untrusted networks or users.
• Consider implementing additional security measures, such as web application firewalls or intrusion detection systems.

Evidence notes

The CVE-2026-46550 vulnerability was reported by an unknown source and is listed in the NVD database. The vulnerability has a CVSS score of 5.4 and is classified as medium severity. The issue was addressed in version 2026.04.1. The CVE record and NVD detail pages provide additional information about the vulnerability.

Official resources