CVE-2026-33221

LOW EPSS 7.0%
Published Mar 20, 20263mo ago · Modified Jun 17, 20262w ago
2.1 CVSS 4.0
Low
Find Similar
Published Mar 20, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
7.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-343
CWE-345

Affected Products 1

VendorProductVersionRange
nhoststorage* <0.12.0

References 4

  • github.com https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85
    Patch
  • github.com https://github.com/nhost/nhost/pull/4018
    Issue TrackingPatch
  • github.com https://github.com/nhost/nhost/releases/tag/storage%400.12.0
    ProductRelease Notes
  • github.com https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85
    Patch
  • github.com https://github.com/nhost/nhost/pull/4018
    Issue TrackingPatch