VYPR
Low severityGHSA Advisory· Published May 21, 2026· Updated May 21, 2026

NocoDB: Attachment Size Limit Bypass via Upload-by-URL

CVE-2026-46553

Description

Summary

The upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit.

Details

The attachments service now checks NC_ATTACHMENT_FIELD_SIZE against both the HEAD response's content-length and the decoded length of a data: URI body before fetching. The local storage plugin additionally sets maxContentLength on the axios download so a malicious server cannot stream past the limit.

Impact

Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps.

Credit

This issue was reported by @bugbunny-research.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nocodbnpm
<= 0.301.3

Affected products

1

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.