Skip to main content

NocoDB CVE-2026-46553

| EUVDEUVD-2026-38583 LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-21 https://github.com/nocodb/nocodb GHSA-8rwr-f68v-cvw6
2.1
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 23, 2026 - 23:02 EUVD
CVSS changed
Jun 23, 2026 - 21:22 NVD
2.1 (LOW)
Source Code Evidence Fetched
May 21, 2026 - 21:35 vuln.today
Analysis Generated
May 21, 2026 - 21:35 vuln.today

DescriptionCVE.org

Summary

The upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit.

Details

The attachments service now checks NC_ATTACHMENT_FIELD_SIZE against both the HEAD response's content-length and the decoded length of a data: URI body before fetching. The local storage plugin additionally sets maxContentLength on the axios download so a malicious server cannot stream past the limit.

Impact

Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps.

Credit

This issue was reported by @bugbunny-research.

AnalysisAI

Attachment size limit bypass in NocoDB (npm, versions up to and including 0.301.3) allows authenticated users with upload permission to store files exceeding the operator-configured NC_ATTACHMENT_FIELD_SIZE quota via the upload-by-URL pathway. The attachments service failed to validate file size against either the remote server's Content-Length HTTP header or the decoded byte length of data: URI payloads before fetching, and the local storage plugin did not set maxContentLength on the axios download, enabling unconstrained resource consumption. No public exploit has been identified at time of analysis, and no vendor-released patched version is confirmed available.

Technical ContextAI

NocoDB is an open-source no-code database platform distributed as the npm package pkg:npm/nocodb. The vulnerability resides in the attachments service, which supports file ingestion via remote URL references (both standard HTTP URLs and data: URIs). CWE-770 (Allocation of Resources Without Limits or Throttling) identifies the root cause: the service did not consult the NC_ATTACHMENT_FIELD_SIZE environment variable to pre-validate size before initiating a fetch. For HTTP URL uploads, the HEAD response's Content-Length header was not checked. For data: URI uploads, the base64-decoded payload length was not evaluated. Additionally, the local storage plugin's axios HTTP client lacked a maxContentLength constraint, meaning a malicious or misconfigured upstream server could stream arbitrarily large content into storage regardless of application-layer settings. The fix described in the advisory introduces pre-fetch size checks at both entry points and adds axios-level enforcement.

RemediationAI

No vendor-released patched version has been identified at time of analysis - the GHSA advisory (https://github.com/nocodb/nocodb/security/advisories/GHSA-8rwr-f68v-cvw6) lists the fixed version as 'None,' and the npm package nocodb should be monitored for a remediated release to upgrade to as soon as one is published. As compensating controls, administrators should restrict access to attachment fields and the upload-by-URL feature to the minimum set of trusted users, noting this limits legitimate URL-based attachment workflows. Operators can enforce storage limits at the infrastructure layer independently of the application - for example, via filesystem quotas, S3 bucket storage limits, or object storage lifecycle policies - which will constrain damage even if the application-layer check is bypassed; trade-off is that these controls are reactive rather than preventive. Disabling the upload-by-URL feature entirely at the network or application configuration level is the strongest compensating control if the feature is not required. Egress firewall rules that restrict NocoDB's ability to fetch from arbitrary external URLs can reduce exposure to malicious remote servers designed to stream oversized content.

Share

CVE-2026-46553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy