Impact
Prior to 2026.04.1, NocoDB’s upload‑by‑URL feature ignored the configured NC_ATTACHMENT_FIELD_SIZE limit when evaluating the remote file’s Content‑Length header or the decoded size of a data URI, allowing an authenticated user to upload a file larger than the allowed size. This privileged bypass enables storage of arbitrarily large files, potentially exhausting disk space or triggering resource‑based denial‑of‑service conditions. The flaw is categorized as CWE‑770, indicating a limitation on available resources.
Affected Systems
The affected product is NocoDB (vendor nocodb) running any release before 2026.04.1. Any user who relies on the upload‑by‑URL functionality and has authentication privileges is at risk.
Risk and Exploitability
The CVSS score of 2.1 reflects a low impact on confidentiality, integrity, and availability. There is no EPSS score available and the issue is not listed in the CISA KEV catalog. Exploitation requires valid authentication and use of the upload‑by‑URL path; it does not permit unauthenticated users to acquire or deliver large files.
OpenCVE Enrichment
Github GHSA