NocoDB CVE-2026-46553
LOW
GHSA-8rwr-f68v-cvw6
Lifecycle Timeline
2DescriptionNVD
Summary
The upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit.
Details
The attachments service now checks NC_ATTACHMENT_FIELD_SIZE against both the HEAD response's content-length and the decoded length of a data: URI body before fetching. The local storage plugin additionally sets maxContentLength on the axios download so a malicious server cannot stream past the limit.
Impact
Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps.
Credit
This issue was reported by @bugbunny-research.
AnalysisAI
Attachment size limit bypass in NocoDB (npm, versions up to and including 0.301.3) allows authenticated users with upload permission to store files exceeding the operator-configured NC_ATTACHMENT_FIELD_SIZE quota via the upload-by-URL pathway. The attachments service failed to validate file size against either the remote server's Content-Length HTTP header or the decoded byte length of data: URI payloads before fetching, and the local storage plugin did not set maxContentLength on the axios download, enabling unconstrained resource consumption. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today