CVE-2026-46551

Name of the Vulnerable Software and Affected Versions NocoDB (affected versions not specified)

Description The uploadViaURL path in the v1/v2 attachment API fails to enforce the NC ATTACHMENT FIELD SIZE limit against the remote content-length or the response stream. An authenticated user with Editor or higher privileges can direct the server to download arbitrarily large files via the endpoints 'POST /api/v1/db/storage/upload-by-url' and 'POST /api/v2/storage/upload-by-url'. This can lead to disk space exhaustion, resulting in a denial of service that may block database writes, prevent log rotation, and cause application crashes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.