NocoDB: Stale Auth Cache After API Token Deletion
Description
Summary
Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time.
Details
The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days.
Impact
Tokens revoked through the UI or API continued to grant access during the cache TTL, breaking the operator's expected security guarantee that deletion is immediate.
Credit
This issue was reported by @bugbunny-research.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Deleted API tokens continue to authenticate until the auth cache entry (TTL up to 3 days) expires, as the cache is not invalidated on token revocation.
Root
Cause
The vulnerability arises from a cache invalidation gap in the API token deletion logic. When an administrator or user deletes an API token via the UI or API, the corresponding database row is removed, but the authentication cache entry keyed by the token value is not evicted [1]. As a result, the authentication middleware continues to treat the deleted token as valid until the cache entry ages out naturally [2].
Exploitation
No special network position is required; the attacker must possess a previously valid API token that the token holder has since deleted through the management interface. Since the token value is still cached, the attacker can reuse it for any API request that the token originally authorized. The deletion-to-revocation window is up to 72 hours, as the cache time-to-live (TTL) is three days [1][2].
Impact
This breaks the security guarantee that deleting an API token immediately revokes its access. An attacker who has obtained a valid token prior to its deletion can continue to use it for up to three days after the token is revoked, gaining unauthorized access to the affected application's resources [2].
Mitigation
The vendor has issued a security advisory (GHSA-f76x-f9vj-92jv) recommending that the application evict the token-value cache entry at the time of deletion [1][2]. Users should update to a patched version as soon as one is available, or apply any workarounds provided in the advisory.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.