Skip to main content

CVE-2026-33221

LOW
Insufficient Verification of Data Authenticity (CWE-345)
2026-03-18 https://github.com/nhost/nhost GHSA-g9f6-9775-hffm
2.1
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
CVSS changed
Jun 03, 2026 - 14:22 NVD
2.1 (LOW)
Analysis Generated
Mar 18, 2026 - 20:30 vuln.today
Patch released
Mar 18, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 18, 2026 - 20:21 nvd
LOW

DescriptionGitHub Advisory

Summary

The storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.

Affected Component

  • Service: services/storage
  • File: services/storage/controller/upload_files.go
  • Function: getMultipartFile (lines 48-70)

Root Cause

In getMultipartFile, if the client provides a non-empty Content-Type header that isn't application/octet-stream, the function returns it as-is without performing content-based detection:

go
contentType := file.header.Header.Get("Content-Type")
if contentType != "" && contentType != "application/octet-stream" {
    return fileContent, contentType, nil // skip detection entirely
}

// mimetype.DetectReader only reached if client sends no Content-Type
// or sends application/octet-stream
mt, err := mimetype.DetectReader(fileContent)

Impact

Incorrect MIME type in file metadata. The MIME type stored in file metadata reflects what the client claims rather than what the file actually contains. Any system consuming this metadata (browsers, CDNs, applications) may handle the file incorrectly based on the spoofed type.

Suggested Fix

Always detect MIME type from file content using mimetype.DetectReader, ignoring the client-provided Content-Type header entirely.

References

  • CWE-345: Insufficient Verification of Data Authenticity
  • CWE-434: Unrestricted Upload of File with Dangerous Type

AnalysisAI

The Nhost storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection, allowing attackers to upload files with spoofed MIME types that bypass bucket-level MIME restrictions. This affects the Go module github.com/nhost/nhost and could cause downstream systems (browsers, CDNs, applications) to mishandle files based on false type metadata. While the CVSS vector indicates low immediate severity due to requiring user interaction and lacking direct confidentiality or availability impact, the metadata corruption poses integrity risks for systems relying on accurate file type information.

Technical ContextAI

The vulnerability exists in the getMultipartFile function within services/storage/controller/upload_files.go (lines 48-70) of the Nhost backend-as-a-service platform written in Go. The affected component (pkg:go/github.com_nhost_nhost) implements a file storage service that fails to perform content-based MIME type detection when a non-empty Content-Type header is provided by the client. The root cause is classified under CWE-345 (Insufficient Verification of Data Authenticity) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The code logic explicitly skips the mimetype.DetectReader function—which performs content-based detection—whenever the client supplies a Content-Type header value other than application/octet-stream, placing full trust in unvalidated client input rather than inspecting file content entropy and file signatures.

RemediationAI

Upgrade the Nhost platform to a version incorporating patch commit c4bd53f042d7f568e567e18e2665af81660fce85 or later by following the vendor's update guidance at https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm. The upstream fix ensures that getMultipartFile always invokes mimetype.DetectReader on file content, completely ignoring client-provided Content-Type headers. For deployments unable to upgrade immediately, implement compensating controls by deploying a reverse proxy (nginx, Envoy) that strips or re-validates the Content-Type header before it reaches the storage service, and configure the storage service's bucket policies to enforce strict MIME type whitelisting at the policy layer rather than relying on metadata alone. Additionally, audit stored file metadata for discrepancies between claimed and actual content types using file signature inspection tools.

Share

CVE-2026-33221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy