CVE-2026-33221

UNKNOWN 0.0

Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

1th

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.

CWE	CWE-345 CWE-343
Vendor	nhost
Product	nhost
Published	Mar 20, 2026
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for nhost nhost

Be the first to know when new unknown vulnerabilities affecting nhost nhost are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nhost / nhost

< 0.12.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm github.com: https://github.com/nhost/nhost/pull/4018 github.com: https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85 github.com: https://github.com/nhost/nhost/releases/tag/storage%400.12.0