Description
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.
Published: 2026-03-20
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: MIME Type Spoofing
Action: Patch
AI Analysis

Impact

The vulnerability stems from the storage service accepting the client‑provided Content‑Type header without any server‑side MIME type validation. As a result an attacker can send a file where the declared MIME type differs from the actual content, allowing the upload of files that bypass any MIME‑type restrictions that have been configured on storage buckets. This could lead to the storage of disallowed or potentially malicious files, compromising data integrity or exposure.

Affected Systems

The flaw affects Nhost’s storage component in all releases prior to version 0.12.0. Any deployment of the Nhost storage service that has not applied the 0.12.0 update is vulnerable.

Risk and Exploitability

The CVSS score is 2.1, indicating low severity. No EPSS data is provided, and the vulnerability is not in the CISA KEV catalog. The likely attack vector is a remote file‑upload request sent to the storage API; this is inferred based on the nature of the service. While the flaw does not enable remote code execution, it does allow authenticated clients to bypass policy controls, potentially compromising stored data.

Generated by OpenCVE AI on March 21, 2026 at 07:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nhost storage component to version 0.12.0 or later to apply the fix.

Generated by OpenCVE AI on March 21, 2026 at 07:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g9f6-9775-hffm Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload
History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Nhost
Nhost nhost
Vendors & Products Nhost
Nhost nhost

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.
Title Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload
Weaknesses CWE-343
CWE-345
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nhost Nhost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:44:43.741Z

Reserved: 2026-03-17T23:23:58.314Z

Link: CVE-2026-33221

cve-icon Vulnrichment

Updated: 2026-03-25T13:44:39.141Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T23:16:46.163

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-33221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:55Z

Weaknesses