ReportizFlow
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit. This vulnerability is fixed in 2026.04.1.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Nocodb |
|
No data.
No data.
References
History
Wed, 24 Jun 2026 02:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Nocodb
Nocodb nocodb |
|
| Vendors & Products |
Nocodb
Nocodb nocodb |
Tue, 23 Jun 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit. This vulnerability is fixed in 2026.04.1. | |
| Title | NocoDB: Attachment Size Limit Bypass via Upload-by-URL | |
| Weaknesses | CWE-770 | |
| References |
| |
| Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-23T20:37:12.238Z
Updated: 2026-06-23T20:37:12.238Z
Reserved: 2026-05-14T20:42:31.369Z
Link: CVE-2026-46553
Vulnrichment
No data.
NVD
No data.
Redhat
No data.