CVE-2026-33221

Name of the Vulnerable Software and Affected Versions Nhost versions prior to 0.12.0

Description Nhost’s storage service’s file upload handler relies on the Content-Type header provided by the client without verifying the file’s actual MIME type. This allows an attacker to upload files with a manipulated MIME type, bypassing any restrictions based on MIME types configured on storage buckets. The vulnerable component is the services/storage service, specifically within the getMultipartFile function (lines 48-70) in the upload files.go file. The function skips MIME type detection if the client provides a Content-Type that is not application/octet-stream, directly using the client-provided value. This can lead to incorrect MIME type metadata associated with the uploaded file, potentially causing issues with how the file is handled by consuming systems. The vulnerable parameter is Content-Type.

Recommendations Versions prior to 0.12.0 should be updated to version 0.12.0 or later. Always detect the MIME type from the file content using mimetype.DetectReader, disregarding the client-provided Content-Type header.