VYPR
← All advisories
Medium severity6.5GHSA Advisory· Published May 21, 2026· Updated May 21, 2026

NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion

CVE-2026-46551

Description

Summary

The uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service.

Details

In packages/nocodb/src/services/attachments.service.ts, the HEAD probe read content-length but never compared it to NC_ATTACHMENT_FIELD_SIZE; the subsequent storageAdapter.fileCreateByUrl() performed the download without maxContentLength. The v3 service (v3/data-attachment-v3.service.ts) already enforced the limit, but the v1/v2 endpoints (POST /api/v1/db/storage/upload-by-url, POST /api/v2/storage/upload-by-url) did not.

This is distinct from GHSA-xr7v-j379-34v9 (blind SSRF via HEAD) — same code area, different class.

Impact

  • Authenticated DoS via disk exhaustion. Editor role suffices.
  • Cascading failures once disk fills: blocked DB writes, log rotation, application crash.

Credit

This issue was reported by @ik0z.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users with Editor role can cause denial of service by directing NocoDB to download arbitrarily large files via upload-by-url endpoints, exhausting disk space.

The uploadViaURL path in NocoDB's v1 and v2 attachment API (POST /api/v1/db/storage/upload-by-url and POST /api/v2/storage/upload-by-url) fails to enforce the NC_ATTACHMENT_FIELD_SIZE limit against the remote content-length or during the download stream [1][2]. While the v3 service already checks this limit, the v1/v2 endpoints in packages/nocodb/src/services/attachments.service.ts read the content-length from a HEAD request but never compare it to the configured maximum, and subsequent download via storageAdapter.fileCreateByUrl() occurs without a maxContentLength [1][2].

An authenticated user with at least Editor privileges can exploit this by providing a URL pointing to an arbitrarily large file. The server will download the entire file without any size restriction, consuming disk space rapidly [1][2].

The impact is a denial of service through disk exhaustion. Once the disk is full, cascading failures occur, including blocked database writes, log rotation failures, and potential application crashes [1][2].

This vulnerability is distinct from a previously reported blind SSRF issue (GHSA-xr7v-j379-34v9) in the same code area [1][2]. As of the advisory, no specific patch version is mentioned; users should restrict access to these endpoints or monitor disk usage until an update is applied.

References
  1. CVE-2026-46551 - GitHub Advisory Database
  2. Missing File Size Limit on Upload-by-URL

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Nocodb/NocodbGHSA2 versions
    <= 0.301.3+ 1 more
    • (no CPE)range: <= 0.301.3
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.