PatchSiren cyber security CVE debrief
CVE-2026-53929 nocodb CVE debrief
CVE-2026-53929 is a vulnerability in NocoDB, software for building databases as spreadsheets. Prior to version 2026.05.1, when NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. This occurred due to a mismatch in how response-header overrides were stored and read. The signed attachment handler stored these overrides under PascalCase keys, while the controller serving the file read them under lowercase-hyphen names. As a result, the Content-Disposition: attachment header was dropped, allowing Express to auto-render .html, .svg, and similar files inline. This vulnerability has been fixed in version 2026.05.1.
- Vendor
- nocodb
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-25
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-25
Who should care
Organizations using NocoDB prior to version 2026.05.1 should be aware of this vulnerability, especially if they have NC_SECURE_ATTACHMENTS=true configured. Authenticated users with upload privileges could potentially exploit this issue to serve malicious content.
Technical summary
The vulnerability arises from a mismatch in case sensitivity when handling response headers for file uploads in NocoDB. Specifically, the signed attachment handler stores response-header overrides using PascalCase keys (e.g., ResponseContentDisposition, ResponseContentType), while the controller that serves the files reads these headers using lowercase-hyphen names (e.g., response-content-disposition). This discrepancy causes the Content-Disposition: attachment header to be omitted, allowing browsers to render .html, .svg, and similar files inline instead of forcing a download. The issue is exacerbated by the fact that NocoDB allows authenticated users to upload attachments. An attacker could exploit this by uploading malicious .html or .svg files, which would then be rendered by the browser, potentially leading to XSS attacks or other malicious activities.
Defensive priority
Medium priority should be given to updating NocoDB to version 2026.05.1 or later, as this vulnerability has a CVSS score of 5.1 and is classified as MEDIUM severity. Additionally, organizations should review their current configuration, especially if NC_SECURE_ATTACHMENTS=true is set, and consider implementing additional security measures for handling file uploads and rendering content.
Recommended defensive actions
- Update NocoDB to version 2026.05.1 or later.
- Review and adjust NC_SECURE_ATTACHMENTS configuration as necessary.
- Implement additional security measures for file uploads and content rendering.
- Monitor for suspicious file upload and rendering activities.
- Consider compensating controls for content security policy.
Evidence notes
The CVE-2026-53929 entry was obtained from the NVD database, which received its information from the official CVE.org record and a security advisory from GitHub. The vulnerability details were provided with a CVSS score of 5.1 and a severity rating of MEDIUM. The issue is fixed in NocoDB version 2026.05.1.
Official resources
-
CVE-2026-53929 CVE record
CVE.org
-
CVE-2026-53929 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.