Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-vj97-k2hc-jkcp
Vulnerability ID VCID-vj97-k2hc-jkcp
Aliases CVE-2026-46551
GHSA-99vc-2jx2-688p
Summary NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion ### Summary The `uploadViaURL` path in the v1/v2 attachment API did not enforce `NC_ATTACHMENT_FIELD_SIZE` against the remote `content-length` or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service. ### Details In `packages/nocodb/src/services/attachments.service.ts`, the HEAD probe read `content-length` but never compared it to `NC_ATTACHMENT_FIELD_SIZE`; the subsequent `storageAdapter.fileCreateByUrl()` performed the download without `maxContentLength`. The v3 service (`v3/data-attachment-v3.service.ts`) already enforced the limit, but the v1/v2 endpoints (`POST /api/v1/db/storage/upload-by-url`, `POST /api/v2/storage/upload-by-url`) did not. This is distinct from GHSA-xr7v-j379-34v9 (blind SSRF via HEAD) — same code area, different class. ### Impact - Authenticated DoS via disk exhaustion. Editor role suffices. - Cascading failures once disk fills: blocked DB writes, log rotation, application crash. ### Credit This issue was reported by [@ik0z](https://github.com/ik0z).
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-770 Allocation of Resources Without Limits or Throttling
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-99vc-2jx2-688p
cvssv3.1 6.5 https://github.com/nocodb/nocodb
generic_textual MODERATE https://github.com/nocodb/nocodb
cvssv3.1 6.5 https://github.com/nocodb/nocodb/security/advisories/GHSA-99vc-2jx2-688p
cvssv3.1_qr MODERATE https://github.com/nocodb/nocodb/security/advisories/GHSA-99vc-2jx2-688p
generic_textual MODERATE https://github.com/nocodb/nocodb/security/advisories/GHSA-99vc-2jx2-688p
Reference id Reference type URL
https://github.com/nocodb/nocodb
https://github.com/nocodb/nocodb/security/advisories/GHSA-99vc-2jx2-688p
GHSA-99vc-2jx2-688p https://github.com/advisories/GHSA-99vc-2jx2-688p
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nocodb/nocodb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nocodb/nocodb/security/advisories/GHSA-99vc-2jx2-688p
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-04T17:02:46.164774+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-99vc-2jx2-688p/GHSA-99vc-2jx2-688p.json 38.6.0