CVE-2026-34156

Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.0.28

Description NocoBase is an AI-powered no-code/low-code platform. Versions of NocoBase prior to 2.0.28 have a security flaw that allows an authenticated attacker to achieve Remote Code Execution (RCE) as root. This is due to the Workflow Script Node executing user-supplied JavaScript within a Node.js vm sandbox that exposes host-realm WritableWorkerStdio stream objects via the console object (console. stdout and console. stderr). An attacker can traverse the prototype chain to escape the sandbox. The console object leaks a host-realm Function constructor via prototype chain traversal. Exploitation involves using the console object to access the Node.js process object and then loading modules like child process to execute commands. The vulnerability allows for database credential theft, arbitrary file read/write, and the establishment of a reverse shell. The issue has been confirmed with a reverse shell and the ability to dump system information and credentials.

Recommendations Update NocoBase to version 2.0.28 or later.