CVE-2026-46553
LowCVSS 2.1Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
NocoDB is software for building databases as spreadsheets. Prior to version 2026.04.1, the upload-by-URL path did not enforce the NC_ATTACHMENT_FIELD_SIZE limit, allowing an authenticated user to bypass the configured per-file size limit.
Risk Assessment
The organization may be exposed to unauthorized uploads of large files, potentially leading to performance issues or data security concerns.
Recommendation
It is recommended to update NocoDB to version 2026.04.1 or later to mitigate this vulnerability.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit. This vulnerability is fixed in 2026.04.1.

