CRITICAL🇵🇱 Wersja polska

CVE-2026-34156

CVSS 9.9v3.1pub. 2026-03-31upd. 2026-04-07

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.

🤖 AI Analysis
How it works

The Workflow Script Node executes JavaScript code supplied by the user inside a Node.js vm sandbox with a custom whitelist of allowed modules (controlled by the WORKFLOW_SCRIPT_MODULES environment variable). The console object is passed to the sandbox context, which through the console._stdout and console._stderr properties exposes WritableWorkerStdio stream objects belonging to the host namespace. An attacker can traverse the prototype chain of these objects to escape the sandbox isolation and gain access to the host environment. As a result, arbitrary JavaScript code execution outside the sandbox with root privileges is possible.

Impact

An attacker can achieve complete remote code execution (RCE) with root privileges on the server hosting the NocoBase application, which in practice means complete system takeover, data access, and the ability to further spread through the network.

Mitigation & patch

NocoBase should be immediately updated to version 2.0.28 or newer, in which the vulnerability has been patched. Details are available in the official vendor references (GitHub Security Advisory GHSA-px3p-vgh9-m57c and release tag v2.0.28).

Who is affected

NocoBase in all versions prior to 2.0.28

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Nocobase

    APP
    Nocobase
    < 2.0.28
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-41640HIGH7.5ten sam produkt

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solution...

CVE-2026-41641HIGH7.2ten sam produkt

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solution...

CVE-2026-34825HIGH8.5ten sam produkt

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solution...

CVE-2026-40346MEDIUM6.4ten sam produkt

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solution...