Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to the 2026.04.1 release, the upload-by-URL path in NocoDB failed to enforce the NC_ATTACHMENT_FIELD_SIZE limit against either the remote file’s advertised Content‑Length header or the decoded length of a data: URI. An authenticated user could therefore upload a file larger than the configured per‑file size threshold, bypassing the size restriction. This flaw allows the storage of arbitrarily large files, potentially exhausting disk space or causing other resource‑based denial‑of‑service conditions. The vulnerability is considered CWE‑770, representing a limitation on available resources.

Affected Systems

The affected product is NocoDB (vendor nocodb) running any release before 2026.04.1. Any user who relies on the upload‑by‑URL functionality and has authentication privileges is at risk.

Risk and Exploitability

The CVSS score of 2.1 reflects a low impact on confidentiality, integrity, and availability. There is no EPSS score available and the issue is not listed in the CISA KEV catalog. Exploitation requires valid authentication and use of the upload‑by‑URL path; it does not permit unauthenticated users to acquire or deliver large files.

Generated by OpenCVE AI on June 24, 2026 at 02:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later, which enforces the attachment size limit on upload‑by‑URL.
  • If an upgrade is not immediately possible, disable the upload‑by‑URL feature or remove it from authenticated routes to prevent use of the bypass.
  • Configure the NC_ATTACHMENT_FIELD_SIZE parameter to enforce a stricter size limit or set custom limits on the server side to reduce the risk of resource exhaustion.

Generated by OpenCVE AI on June 24, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8rwr-f68v-cvw6 NocoDB: Attachment Size Limit Bypass via Upload-by-URL
History

Wed, 24 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Attachment Size Limit Bypass via Upload-by-URL
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:37:12.238Z

Reserved: 2026-05-14T20:42:31.369Z

Link: CVE-2026-46553

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling