CVE-2026-46554
CWE-613Published: June 23, 2026· Updated: Jun 25, 2026
Official Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days. This vulnerability is fixed in 2026.04.4.
Technical Analysis
CVE-2026-46554 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (P) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-613)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-46554 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts