CVE-2026-46550
CWE-614Published: June 23, 2026· Updated: Jun 25, 2026
Official Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1.
Technical Analysis
CVE-2026-46550 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-614)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-46550 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts