Denial of Service Vulnerability in NocoDB by NocoDB Inc.
CVE-2026-46551

6.5MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-46551?

NocoDB, a database software operating with a spreadsheet interface, contains a vulnerability in its v1/v2 attachment API where the uploadViaURL endpoint fails to enforce restrictions on file size. This allows an authenticated user with Editor privileges to exploit the server by prompting it to download overly large files, resulting in significant disk space exhaustion and potential service unavailability. The issue arises because the content-length check is not properly enforced against the defined NC_ATTACHMENT_FIELD_SIZE limit, enabling the download of files beyond the intended capacity. This vulnerability has been addressed in the 2026.04.4 update.

Affected Version(s)

nocodb < 2026.04.4

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46551 Data

JSON

Nocodb

What is CVE-2026-46551?

Affected Version(s)

References

CVSS V3.1

Timeline