Login Sign Up

CVE-2022-2064

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to maintain access to NoCodeDB sessions beyond intended expiration times, potentially leading to unauthorized access. It affects all users running NoCodeDB versions prior to 0.91.7+. The insufficient session expiration means authenticated sessions remain valid longer than security policies intend.

💻 Affected Systems

Products:
  • NoCodeDB
Versions: All versions prior to 0.91.7+
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Nocodb by Nocodb

View all CVEs affecting Nocodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent unauthorized access to sensitive data and administrative functions, potentially leading to data theft, manipulation, or complete system compromise.

🟠

Likely Case

Unauthorized users maintain access to user accounts they shouldn't have, leading to data exposure and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation and additional authentication layers, though session management remains flawed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires initial authentication but session persistence is trivial once obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.91.7+

Vendor Advisory: https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b

Restart Required: Yes

Instructions:

1. Backup your NoCodeDB instance and data. 2. Update to version 0.91.7 or later using your package manager or deployment method. 3. Restart the NoCodeDB service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Force Session Termination

all

Manually terminate all active sessions and implement shorter session timeouts

Restart NoCodeDB service to clear all sessions
Configure session timeout to minimum acceptable value

🧯 If You Can't Patch

  • Implement network segmentation to isolate NoCodeDB instances from sensitive systems
  • Deploy additional authentication layers (MFA, IP whitelisting) and monitor session activity closely

🔍 How to Verify

Check if Vulnerable:

Check NoCodeDB version via web interface or configuration files. If version is below 0.91.7, system is vulnerable.

Check Version:

Check NoCodeDB web interface admin panel or review package.json/application configuration for version number

Verify Fix Applied:

Confirm version is 0.91.7 or higher and test session expiration behavior matches configured timeout policies.

📡 Detection & Monitoring

Log Indicators:

  • Unusually long session durations
  • Multiple sessions from same user overlapping beyond timeout
  • Session renewal without re-authentication

Network Indicators:

  • Sustained API calls from sessions that should have expired
  • Authentication bypass patterns

SIEM Query:

source="nocodb" AND (session_duration > [configured_timeout] OR session_renewal_count > threshold)

📊 Metadata

CVE ID: CVE-2022-2064
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-613
Published: June 13, 2022
Last Updated: August 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-2064, you might also want to check these:

CVE-2024-8888 10.0

An attacker on the same network as a vulnerable CIRCUTOR Q-SMT device can steal authentication token...

Same vulnerability type (CWE-613)
CVE-2023-5865 9.8

This vulnerability in phpMyFAQ allows attackers to maintain access to user sessions beyond intended ...

Same vulnerability type (CWE-613)
CVE-2024-25718 9.8

This vulnerability in the Samly package for Elixir allows expired authentication sessions to remain ...

Same vulnerability type (CWE-613)