Allocation of Resources Without Limits or Throttling in nocodb | CVE-2026-46551

Q: How to fix?

A fix was pushed into the master branch but not yet published.

Introduced: 21 May 2026

NewCVE-2026-46551 (opens in a new tab) CWE-770 (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

nocodb is a NocoDB

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the AttachmentsService upload-by-URL path in the attachment handling code. An attacker can exhaust storage or processing resources by providing a remote file URL pointing to a very large file. The service accepts the response metadata from the fetched URL without enforcing a file size limit, allowing oversized uploads to be pulled into the attachment workflow and disrupting normal application use.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting nocodb package, versions *

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 21 May 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk