CVE-2026-34156
CRITICAL
9,9
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Description
AI Translation Available
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.
913
Improper Control of Dynamically-Managed Code Resources
IncompleteCommon Consequences
Security Scopes Affected:
Integrity
Other
Potential Impacts:
Execute Unauthorized Code Or Commands
Varies By Context
Alter Execution Logic
Applicable Platforms
Languages:
Interpreted, Not Language-Specific
https://github.com/nocobase/nocobase/pull/8967
https://github.com/nocobase/nocobase/releases/tag/v2.0.28
https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c