GHSA-6mhr-74x2-98v9Medium

NocoDB: Stored Cross-Site Scripting via Secure Attachment

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

With NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download.

Details

The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. The fix corrects the key case and additionally forces Content-Disposition: attachment and Content-Type: application/octet-stream for any MIME type not on the preview allowlist.

Impact

Stored Cross-Site Scripting in the NocoDB origin from inline-rendered uploads. Script executing in the victim's browser can read the auth JWT from localStorage. Exploitation requires authenticated upload permission and the secure-attachment mode to be enabled.

Credit

This issue was reported by @bugbunny-research. It was independently reported by @DavidCarliez.

🎯 Affected products1

  • npm/nocodb:<= 0.301.3

🔗 References (2)