Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service. In packages/nocodb/src/services/attachments.service.ts, the HEAD probe read content-length but never compared it to NC_ATTACHMENT_FIELD_SIZE; the subsequent storageAdapter.fileCreateByUrl() performed the download without maxContentLength. This vulnerability is fixed in 2026.04.4.
Published: 2026-06-23
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing size check allowed an authenticated editor to have the server download arbitrarily large files from any URL, consuming disk space and rendering the service unavailable. The vulnerability is a classic example of resource exhaustion (CWE-770).

Affected Systems

NocoDB versions before 2026.04.4 are affected. The flaw occurs in the uploadViaURL path of the v1/v2 attachment API and affects all deployments that rely on this feature.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. No EPSS information is available and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated user with Editor+ privileges, so it is most likely exploitable by an attacker who has compromised credentials or by a legitimate user misusing the feature. The impact is local to the server’s disk space; no remote code execution or data disclosure is described.

Generated by OpenCVE AI on June 24, 2026 at 02:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.4 or later.
  • Configure your attachment service to enforce a maximum download size corresponding to NC_ATTACHMENT_FIELD_SIZE.
  • Deploy disk‑space monitoring and alerts to detect early exhaustion and respond before the service is taken down.

Generated by OpenCVE AI on June 24, 2026 at 02:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-99vc-2jx2-688p NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service. In packages/nocodb/src/services/attachments.service.ts, the HEAD probe read content-length but never compared it to NC_ATTACHMENT_FIELD_SIZE; the subsequent storageAdapter.fileCreateByUrl() performed the download without maxContentLength. This vulnerability is fixed in 2026.04.4.
Title NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:31:55.131Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46551

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling