Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector with low-privilege upload account required (PR:L), victim must open the link (UI:R), scope changes to victim browser (S:C), JWT theft enables full session takeover (C:H).
Primary rating from Vendor (https://github.com/nocodb/nocodb).
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Summary
With NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download.
Details
The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. The fix corrects the key case and additionally forces Content-Disposition: attachment and Content-Type: application/octet-stream for any MIME type not on the preview allowlist.
Impact
Stored Cross-Site Scripting in the NocoDB origin from inline-rendered uploads. Script executing in the victim's browser can read the auth JWT from localStorage. Exploitation requires authenticated upload permission and the secure-attachment mode to be enabled.
Credit
This issue was reported by @bugbunny-research. It was independently reported by @DavidCarliez.
AnalysisAI
Stored Cross-Site Scripting in NocoDB (npm package, versions <= 0.301.3) allows an authenticated user with upload permissions to deliver malicious .html or .svg attachments that the victim's browser renders inline from the NocoDB origin, bypassing the intended forced-download behavior. The root cause is a header-key case mismatch in the secure attachment handler: the signed URL generator wrote overrides as PascalCase keys while the Express controller read them as lowercase-hyphen keys, silently dropping Content-Disposition: attachment and enabling inline rendering. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific conditions to be simultaneously true: (1) the attacker must hold an authenticated NocoDB account with upload permission on at least one base - anonymous or read-only access is insufficient; (2) the target NocoDB instance must be configured with the environment variable `NC_SECURE_ATTACHMENTS=true`, which is a non-default opt-in setting. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-high for deployments that meet the exploitation prerequisites but lower for the broader NocoDB install base. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a NocoDB collaborator account that includes file upload permissions crafts an `.svg` file containing an embedded `<script>` tag that sends `document.cookie` and `localStorage.getItem('nocodb-token')` to an attacker-controlled endpoint. The attacker uploads this file to a shared base in a NocoDB instance running with `NC_SECURE_ATTACHMENTS=true`. … |
| Remediation | No vendor-released patch has been confirmed at time of analysis - the GHSA advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-6mhr-74x2-98v9 and https://github.com/advisories/GHSA-6mhr-74x2-98v9 describe the fix but do not list a remediated release version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38602
GHSA-6mhr-74x2-98v9