CVE-2026-47386

CVE-2026-47386 affects NocoDB’s OAuth token-exchange flow. Before 2026.05.1, two concurrent token-exchange requests could use the same OAuth authorization code to mint two valid token pairs, breaking PKCE’s single-use guarantee. The issue is mitigated by a fix in 2026.05.1, which introduces atomi...

CVE-2024-44445

This CVE-2024-44445 entry is rejected/not used and does not represent an active vulnerability.

Lack of token pair existence

Lines of code Vulnerability details Impact There is no check that ensures the token pair does exists. Proof of Concept he code assumes that if a token pair ID is not registered or if the token pair is not enabled, the conversion process will be skipped. However, there is no explicit check or...

Tokens with low trading volumes will have distorted time weighting

Lines of code Vulnerability details Proof of Concept Although the docs talk of time weighted values, the actual processing of values by update,reserves, sampleReserves and sampleSupply weights all observations as equal, regardless of duration. So long as update is being called frequently, this...

CVE-2017-12160

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself...