NocoDB, Stale Auth Cache, CVE‑2026‑46554 (Low)

Listen to this Post

How the vulnerability works

NocoDB uses an in‑memory or Redis‑based authentication cache to speed up repeated API token lookups.
When a request arrives, the auth middleware first checks the cache for an entry keyed by the raw token value.
If a hit occurs, the user is allowed access without contacting the underlying database.
The deletion API that removes a token from the database did not also delete the corresponding cache entry.
Because the cache entry was never invalidated, a token that had already been deleted still existed in the cache.
The cache entry is assigned a TTL (time‑to‑live) that defaults to 86400 seconds (24 hours).
However, depending on local configuration (e.g., custom `NC_REDIS_TTL` or grace periods) the effective lifetime could be up to three days.
Until the cache entry naturally expires, the auth middleware continues to accept the deleted token as if it were still valid.
Thus, an operator who deletes a token through the UI or the API cannot rely on the token being instantly revoked.
The gap between the database deletion and the cache expiry creates a “deletion‑to‑revocation window” where a supposedly revoked token still grants access.
An attacker who possesses a deleted token (e.g., from a compromised backup or a leaked token that was later removed) can continue to use it during this window.
The vulnerability was assigned CVE‑2026‑46554 and classified as Low severity because it requires prior knowledge of the token value and only extends the lifetime of an already compromised token.

DailyCVE Form

Platform: NocoDB
Version: prior to fix
Vulnerability: stale auth cache
Severity: Low
Date: May 21, 2026

Prediction: May 21, 2026

What Undercode Say

Check current cache TTL (if using Redis)
redis-cli TTL "nc::api-token:"
Simulate the vulnerability: delete token via API
curl -X DELETE -H "xc-token: YOUR-ADMIN-TOKEN" \
https://your-nocodb.com/api/v1/auth/token/DELETED_TOKEN_ID
Immediately try to authenticate with the same deleted token
curl -H "xc-token: DELETED-TOKEN-VALUE" \
https://your-nocodb.com/api/v1/db/meta/projects
Force cache invalidation manually (proof-of-concept)
redis-cli DEL "nc::api-token:DELETED-TOKEN-VALUE"

Exploit

  1. Obtain a valid API token (e.g., from a previous breach, log file, or a test token that was later deleted).
  2. Wait for the token to be deleted by the administrator.
  3. Continue sending requests with the deleted token until the cache TTL expires.
  4. The auth middleware will keep accepting the request, granting unauthorized access.

Protection from this CVE

  • Upgrade NocoDB to the version that includes the fix (the patch adds a cache deletion step in the token deletion handler).
  • If upgrading is not possible, manually flush the authentication cache after deleting any token:
    redis-cli DEL "nc::api-token:<TOKEN-VALUE>"
    
  • Reduce the default cache TTL to a very short value (e.g., 60 seconds) to shrink the exploitation window.
  • Regularly audit API token usage and rotate tokens often.

Impact

  • Deleted API tokens can be used for up to three days after they are officially revoked.
  • An attacker who possesses a deleted token can continue to access all resources that the original token could access.
  • Operators lose the guarantee that token deletion is an immediate, effective revocation.
  • In multi‑tenant environments, this can allow cross‑tenant access if the same token was shared across bases.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top