Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3ps4-aqy4-7keu
Vulnerability ID VCID-3ps4-aqy4-7keu
Aliases CVE-2026-46553
GHSA-8rwr-f68v-cvw6
Summary NocoDB: Attachment Size Limit Bypass via Upload-by-URL ### Summary The upload-by-URL path did not enforce `NC_ATTACHMENT_FIELD_SIZE` against either the remote file's advertised `Content-Length` or the decoded length of a `data:` URI, allowing an authenticated user to bypass the configured per-file size limit. ### Details The attachments service now checks `NC_ATTACHMENT_FIELD_SIZE` against both the HEAD response's `content-length` and the decoded length of a `data:` URI body before fetching. The local storage plugin additionally sets `maxContentLength` on the axios download so a malicious server cannot stream past the limit. ### Impact Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps. ### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-770 Allocation of Resources Without Limits or Throttling
System Score Found at
cvssv3.1_qr LOW https://github.com/advisories/GHSA-8rwr-f68v-cvw6
cvssv4 2.1 https://github.com/nocodb/nocodb
generic_textual LOW https://github.com/nocodb/nocodb
cvssv3.1_qr LOW https://github.com/nocodb/nocodb/security/advisories/GHSA-8rwr-f68v-cvw6
cvssv4 2.1 https://github.com/nocodb/nocodb/security/advisories/GHSA-8rwr-f68v-cvw6
generic_textual LOW https://github.com/nocodb/nocodb/security/advisories/GHSA-8rwr-f68v-cvw6
Reference id Reference type URL
https://github.com/nocodb/nocodb
https://github.com/nocodb/nocodb/security/advisories/GHSA-8rwr-f68v-cvw6
GHSA-8rwr-f68v-cvw6 https://github.com/advisories/GHSA-8rwr-f68v-cvw6
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P Found at https://github.com/nocodb/nocodb
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P Found at https://github.com/nocodb/nocodb/security/advisories/GHSA-8rwr-f68v-cvw6
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-04T17:02:31.319286+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-8rwr-f68v-cvw6/GHSA-8rwr-f68v-cvw6.json 38.6.0