Lucene search
K

42 matches found

NVD
NVD
added 2026/06/23 9:16 p.m.6 views

CVE-2026-46554

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row bu...

2.3CVSS0.00197EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 8:30 p.m.26 views

CVE-2026-46554 NocoDB: Stale Auth Cache After API Token Deletion

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row bu...

2.3CVSS0.00197EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 8:30 p.m.21 views

CVE-2026-46554

NocoDB prior to 2026.04.4 is affected by a stale-auth-cache issue: when an API token is deleted, the auth cache entry keyed by the token value is not evicted, allowing the token to continue authenticating until the cache entry expires. This creates a deletion-to-revocation window of up to three d...

2.3CVSS5.8AI score0.00197EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 8:3 p.m.5 views

CVE-2026-53928

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForg...

6.3CVSS5.9AI score0.00242EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/05/21 8:39 p.m.25 views

Insufficient Session Expiration

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Insufficient Session Expiration through the ApiToken delete path in the token management code. An attacker can keep using a deleted API token by deleting it while the cache entry remains keyed under the token value,...

6.3CVSS5.8AI score0.00197EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/05/21 8:39 p.m.10 views

NPM: NocoDB: Stale Auth Cache After API Token Deletion

NPM: NocoDB: Stale Auth Cache After API Token Deletion vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...

5.8AI score0.00197EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/21 8:39 p.m.6 views

GHSA-F76X-F9VJ-92JV NocoDB: Stale Auth Cache After API Token Deletion

Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache...

2.3CVSS5.7AI score0.00197EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/21 8:39 p.m.15 views

NocoDB: Stale Auth Cache After API Token Deletion

Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache...

2.3CVSS5.7AI score0.00197EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/05/21 8:16 p.m.21 views

CVE-2026-4843

The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the processajaxrestoreaction function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and...

4.3CVSS0.00192EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/21 7:29 p.m.36 views

CVE-2026-4843 GSheet For Woo Importer <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset

The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the processajaxrestoreaction function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and...

4.3CVSS0.00192EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.9 views

PT-2026-42622

Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache...

2.3CVSS5.7AI score
Exploits0References3
Snyk
Snyk
added 2026/03/11 12:16 a.m.3 views

Authorization Bypass Through User-Controlled Key

Overview @withstudiocms/auth-kit is an Utilities for managing authentication Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the DELETE /studiocmsapi/dashboard/api-tokens endpoint. An attacker can revoke API tokens belonging to other users,...

7.1CVSS5.9AI score0.00452EPSS
Exploits2References2
Vulnrichment
Vulnrichment
added 2026/03/02 4:17 p.m.3 views

CVE-2026-28361 NocoDB: Missing Ownership Validation in MCP Token Operations

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in...

7.1CVSS5.8AI score0.0016EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/11/13 5:49 p.m.18 views

CVE-2025-64706 Typebot IDOR Vulnerability: Unauthorized API Token Deletion and Exposure

Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference IDOR vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing th...

5CVSS0.00208EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2025/11/13 5:49 p.m.4 views

CVE-2025-64706 Typebot IDOR Vulnerability: Unauthorized API Token Deletion and Exposure

Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference IDOR vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing th...

5CVSS6.4AI score0.00208EPSS
Exploits1References1
CVE
CVE
added 2025/11/13 5:49 p.m.13 views

CVE-2025-64706

Typebot (open-source chatbot builder) contains an IDOR vulnerability in the API token management endpoint affecting versions 3.9.0 through 3.12.9 (up to but excluding 3.13.0). An authenticated attacker can delete any user’s API token and retrieve its value by knowing the target user ID and token ...

7.5CVSS6.4AI score0.00208EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2025/11/13 5:49 p.m.6 views

EUVD-2025-175346

Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference IDOR vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing th...

5CVSS6.3AI score0.00208EPSS
Exploits1References1
OSV
OSV
added 2025/11/13 5:49 p.m.6 views

CVE-2025-64706 Typebot IDOR Vulnerability: Unauthorized API Token Deletion and Exposure

Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference IDOR vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing th...

5CVSS6.7AI score0.00208EPSS
Exploits1References3
CNNVD
CNNVD
added 2025/11/13 12:0 a.m.4 views

Typebot 安全漏洞

Typebot is an open source chatbot builder by the individual developer Baptiste Arnaud. A security vulnerability exists in Typebot version 3.9.0 up to and including version 3.13.0, which stems from the presence of an insecure direct object reference in the API token management endpoint, which coul...

7.5CVSS6.7AI score0.00208EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2025/11/13 12:0 a.m.8 views

PT-2025-46875

Name of the Vulnerable Software and Affected Versions Typebot versions 3.9.0 through 3.12.9 Description Typebot is an open-source chatbot builder. An Insecure Direct Object Reference IDOR vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's AP...

7.5CVSS5.9AI score0.00208EPSS
Exploits1References6
Rows per page
Query Builder