What is GHSA-8rwr-f68v-cvw6?

GHSA-8rwr-f68v-cvw6 is a security advisory published by GitHub Security Advisories with Low severity. NocoDB: Attachment Size Limit Bypass via Upload-by-URL

Which CVE IDs does GHSA-8rwr-f68v-cvw6 cover?

GHSA-8rwr-f68v-cvw6 covers the following CVE IDs: CVE-2026-46553. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-8rwr-f68v-cvw6?

GHSA-8rwr-f68v-cvw6 affects 1 product, including: npm/nocodb:\u003c= 0.301.3.

GHSA-8rwr-f68v-cvw6Low

NocoDB: Attachment Size Limit Bypass via Upload-by-URL

Vendor

GitHub Security Advisories

Published

May 21, 2026

Last Modified

May 21, 2026

🔗 CVE IDs covered (1)

CVE-2026-46553 →

📋 Description

Summary

The upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit.

Details

The attachments service now checks NC_ATTACHMENT_FIELD_SIZE against both the HEAD response's content-length and the decoded length of a data: URI body before fetching. The local storage plugin additionally sets maxContentLength on the axios download so a malicious server cannot stream past the limit.

Impact

Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps.

NocoDB: Attachment Size Limit Bypass via Upload-by-URL

🔗 CVE IDs covered (1)

📋 Description

Summary

Details

Impact

Credit

🎯 Affected products1

🔗 References (2)