Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.
Published: 2026-03-31
Score: 10 Critical
EPSS: 8.9% Low
KEV: No
Impact: Remote Code Execution as root
Action: Immediate Patch
AI Analysis

Impact

The flaw in NocoBase’s Workflow Script Node lets an authenticated attacker run user‑supplied JavaScript inside a Node.js VM sandbox. Because the sandboxed code receives a console object that leaks host‑level WritableWorkerStdio streams through console._stdout and console._stderr, an attacker can traverse the prototype chain to escape the sandbox. The escape grants unrestricted execution privileges on the underlying operating system, effectively achieving remote code execution with root authority. This weakness corresponds to CWE‑913, reflecting an improper control of the execution environment.

Affected Systems

NocoBase is the affected product. All releases before v2.0.28 are vulnerable. The patch, released in v2.0.28, addresses the issue.

Risk and Exploitability

The vulnerability scores a maximum CVSS score of 10, indicating critical severity. An EPSS score of 9% suggests a moderate probability of exploitation in the wild. The issue is not listed in CISA’s KEV catalog, implying no known widespread exploitation yet. The exploit requires the attacker to have authenticated access to the NocoBase instance, enabling the creation or modification of workflow scripts. Attackers can embed JavaScript that traverses the prototype chain via console._stdout, escapes the VM boundary, and runs arbitrary commands as the host process user. Since the escape grants root‑level permissions, any compromised server can be fully taken over.

Generated by OpenCVE AI on April 21, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the NocoBase update to version 2.0.28 or newer immediately.
  • Restrict user permissions for creating or editing Workflow Script Nodes to trusted administrators only.
  • Continuously monitor system logs for anomalies such as unexpected console usage or sandbox escape attempts.

Generated by OpenCVE AI on April 21, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-px3p-vgh9-m57c NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
History

Tue, 07 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nocobase:nocobase:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Nocobase
Nocobase nocobase
Vendors & Products Nocobase
Nocobase nocobase

Tue, 31 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.
Title NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
Weaknesses CWE-913
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Nocobase Nocobase
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:08:38.165Z

Reserved: 2026-03-25T20:12:04.196Z

Link: CVE-2026-34156

cve-icon Vulnrichment

Updated: 2026-04-02T15:08:32.762Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T14:16:12.170

Modified: 2026-04-07T20:57:55.957

Link: CVE-2026-34156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses