MIME Type Bypass Vulnerability in Nhost Storage Service
CVE-2026-33221

2.1LOW

Key Information:

Vendor

Nhost

Status
Nhost
Vendor
CVE Published:
20 March 2026

What is CVE-2026-33221?

Nhost, an open-source alternative to Firebase that utilizes GraphQL, experienced a vulnerability in its storage service prior to version 0.12.0. The issue arises from the file upload handler's trust in the client-supplied Content-Type header, allowing attackers to bypass server-side MIME type restrictions. This could enable malicious users to upload files with arbitrary MIME types, potentially leading to unauthorized access or exploitation of the system. The vulnerability has been addressed in version 0.12.0, which implements proper MIME type detection to enhance security.

Affected Version(s)

nhost < 0.12.0

References

https://github.com/nhost/nhost/security/advisories/GHSA-g...
x_refsource_CONFIRM
https://github.com/nhost/nhost/pull/4018
x_refsource_MISC
https://github.com/nhost/nhost/commit/c4bd53f042d7f568e56...
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.