NocoDB: Stored Cross-Site Scripting via Secure Attachment
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
### Summary With `NC_SECURE_ATTACHMENTS=true`, an authenticated uploader could deliver `.html` or `.svg` attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. ### Details The signed attachment handler stored response-header overrides under PascalCase keys (`ResponseContentDisposition`, `ResponseContentType`) while the controller that served the file read them under lowercase-hyphen names (`response-content-disposition`). The mismatch dropped the `Content-Disposition: attachment` header, leaving Express to auto-render `.html`, `.svg`, and similar inline. The fix corrects the key case and additionally forces `Content-Disposition: attachment` and `Content-Type: application/octet-stream` for any MIME type not on the preview allowlist. ### Impact Stored Cross-Site Scripting in the NocoDB origin from inline-rendered uploads. Script executing in the victim's browser can read the auth JWT from `localStorage`. Exploitation requires authenticated upload permission and the secure-attachment mode to be enabled. ### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research). It was independently reported by [@DavidCarliez](https://github.com/DavidCarliez).
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-17 14:07 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.