CVE Catalog

CVE-2026-46551

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile — higher than 14% of all known CVEs

Summary

NocoDB prior to version 2026.04.4 had a vulnerability in the attachment API that allowed authenticated users to download arbitrarily large files, leading to disk space exhaustion and denial of service.

Risk Assessment

The organization may experience availability issues due to disk resource exhaustion, which can impact business operations.

Recommendation

It is recommended to update NocoDB to version 2026.04.4 or later to mitigate this vulnerability.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service. In packages/nocodb/src/services/attachments.service.ts, the HEAD probe read content-length but never compared it to NC_ATTACHMENT_FIELD_SIZE; the subsequent storageAdapter.fileCreateByUrl() performed the download without maxContentLength. This vulnerability is fixed in 2026.04.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS