Impact
The vulnerability in NocoDB enables an authenticated user with Editor+ privileges to trigger the server to download files of any size from external URLs through the uploadViaURL endpoint. Because the endpoint does not check the remote content‑length or response stream against the configured maximum attachment size (NC_ATTACHMENT_FIELD_SIZE), the download can consume all available disk space, causing the application to become unavailable. This flaw is a classic example of resource exhaustion (CWE‑770).
Affected Systems
NocoDB versions prior to 2026.04.4 are affected. The vulnerability occurs in the uploadViaURL endpoint of the v1/v2 attachment API and affects any deployment that uses this feature.
Risk and Exploitability
The CVSS score of 6.5 indicates medium severity. No EPSS information is available and the vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated with Editor+ privileges to exercise the vulnerability, making the threat most likely to arise from compromised credentials or misuse by a legitimate user. The impact is restricted to the server’s disk space, resulting in a denial of service.
OpenCVE Enrichment
Github GHSA