CVE-2026-53929

With NC SECURE ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download.

The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. The fix corrects the key case and additionally forces Content-Disposition: attachment and Content-Type: application/octet-stream for any MIME type not on the preview allowlist.

Stored Cross-Site Scripting in the NocoDB origin from inline-rendered uploads. Script executing in the victim's browser can read the auth JWT from localStorage. Exploitation requires authenticated upload permission and the secure-attachment mode to be enabled.

This issue was reported by @bugbunny-research. It was independently reported by @DavidCarliez.