CVE-2026-47386 nocodb CVE debrief

Who should care

Organizations using NocoDB prior to version 2026.05.1 should be aware of this vulnerability, as it could potentially allow attackers to bypass authentication mechanisms that rely on PKCE. This is particularly relevant for environments where NocoDB is used for sensitive data management or in conjunction with OAuth-based authentication.

Technical summary

The vulnerability in NocoDB arises from the handling of concurrent token-exchange requests. When two such requests are made using the same OAuth authorization code, the system could issue two separate sets of valid tokens (access_token and refresh_token). This undermines the security provided by PKCE, which relies on the single-use nature of authorization codes to prevent token interception attacks. The issue is addressed in NocoDB version 2026.05.1, where the token-exchange process has been modified to prevent this vulnerability.

Defensive priority

Defenders should prioritize updating NocoDB to version 2026.05.1 or later to mitigate this vulnerability. Additionally, reviewing and monitoring OAuth-based authentication flows for any suspicious activity related to token-exchange requests is advisable.

Recommended defensive actions

• Update NocoDB to version 2026.05.1 or later.
• Review OAuth-based authentication configurations for potential vulnerabilities.
• Monitor for suspicious token-exchange requests.
• Implement additional logging and monitoring for authentication events.
• Consider compensating controls for environments where immediate updates are not feasible.

Evidence notes

The CVE record and NVD details were used to compile this debrief. The source item provided includes information from the NVD database, which was modified on June 25, 2026. A reference to a GitHub security advisory (GHSA-8m7c-hf24-5g47) was also noted, indicating the vulnerability was addressed in NocoDB version 2026.05.1.

Official resources