CVE-2026-46553
NocoDB: Attachment Size Limit Bypass via Upload-by-URL
描述
### Summary The upload-by-URL path did not enforce `NC_ATTACHMENT_FIELD_SIZE` against either the remote file's advertised `Content-Length` or the decoded length of a `data:` URI, allowing an authenticated user to bypass the configured per-file size limit. ### Details The attachments service now checks `NC_ATTACHMENT_FIELD_SIZE` against both the HEAD response's `content-length` and the decoded length of a `data:` URI body before fetching. The local storage plugin additionally sets `maxContentLength` on the axios download so a malicious server cannot stream past the limit. ### Impact Authenticated users with upload permission could attach files larger than the operator-configured limit, defeating storage and bandwidth caps. ### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).
受影響套件(1)
- npm/nocodbfrom 0, <= 0.301.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P |