Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Summary
The upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit.
Details
The attachments service now checks NC_ATTACHMENT_FIELD_SIZE against both the HEAD response's content-length and the decoded length of a data: URI body before fetching. The local storage plugin additionally sets maxContentLength on the axios download so a malicious server cannot stream past the limit.
Impact
Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps.
Credit
This issue was reported by @bugbunny-research.
AnalysisAI
Attachment size limit bypass in NocoDB (npm, versions up to and including 0.301.3) allows authenticated users with upload permission to store files exceeding the operator-configured NC_ATTACHMENT_FIELD_SIZE quota via the upload-by-URL pathway. The attachments service failed to validate file size against either the remote server's Content-Length HTTP header or the decoded byte length of data: URI payloads before fetching, and the local storage plugin did not set maxContentLength on the axios download, enabling unconstrained resource consumption. No public exploit has been identified at time of analysis, and no vendor-released patched version is confirmed available.
Technical ContextAI
NocoDB is an open-source no-code database platform distributed as the npm package pkg:npm/nocodb. The vulnerability resides in the attachments service, which supports file ingestion via remote URL references (both standard HTTP URLs and data: URIs). CWE-770 (Allocation of Resources Without Limits or Throttling) identifies the root cause: the service did not consult the NC_ATTACHMENT_FIELD_SIZE environment variable to pre-validate size before initiating a fetch. For HTTP URL uploads, the HEAD response's Content-Length header was not checked. For data: URI uploads, the base64-decoded payload length was not evaluated. Additionally, the local storage plugin's axios HTTP client lacked a maxContentLength constraint, meaning a malicious or misconfigured upstream server could stream arbitrarily large content into storage regardless of application-layer settings. The fix described in the advisory introduces pre-fetch size checks at both entry points and adds axios-level enforcement.
RemediationAI
No vendor-released patched version has been identified at time of analysis - the GHSA advisory (https://github.com/nocodb/nocodb/security/advisories/GHSA-8rwr-f68v-cvw6) lists the fixed version as 'None,' and the npm package nocodb should be monitored for a remediated release to upgrade to as soon as one is published. As compensating controls, administrators should restrict access to attachment fields and the upload-by-URL feature to the minimum set of trusted users, noting this limits legitimate URL-based attachment workflows. Operators can enforce storage limits at the infrastructure layer independently of the application - for example, via filesystem quotas, S3 bucket storage limits, or object storage lifecycle policies - which will constrain damage even if the application-layer check is bypassed; trade-off is that these controls are reactive rather than preventive. Disabling the upload-by-URL feature entirely at the network or application configuration level is the strongest compensating control if the feature is not required. Egress firewall rules that restrict NocoDB's ability to fetch from arbitrary external URLs can reduce exposure to malicious remote servers designed to stream oversized content.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38583
GHSA-8rwr-f68v-cvw6