CVE-2026-46551

MEDIUM 6.5

NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service. In packages/nocodb/src/services/attachments.service.ts, the HEAD probe read content-length but never compared it to NC_ATTACHMENT_FIELD_SIZE; the subsequent storageAdapter.fileCreateByUrl() performed the download without maxContentLength. This vulnerability is fixed in 2026.04.4.

CWE	CWE-770
Vendor	nocodb
Product	nocodb
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for nocodb nocodb

Be the first to know when new medium vulnerabilities affecting nocodb nocodb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

nocodb / nocodb

< 2026.04.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nocodb/nocodb/security/advisories/GHSA-99vc-2jx2-688p