CVE-2026-33221

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85
https://github.com/nhost/nhost/pull/4018
https://github.com/nhost/nhost/releases/tag/storage%400.12.0
https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-20 23:16

Updated : 2026-03-23 14:32

NVD link : CVE-2026-33221

Mitre link : CVE-2026-33221

CVE.ORG link : CVE-2026-33221

JSON object : View

Products Affected

No product.

CWE

CWE-343

Predictable Value Range from Previous Values

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2026-33221", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T23:16:46.163", "references": [{"url": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85", "source": "security-advisories@github.com"}, {"url": "https://github.com/nhost/nhost/pull/4018", "source": "security-advisories@github.com"}, {"url": "https://github.com/nhost/nhost/releases/tag/storage%400.12.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-343"}, {"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0."}, {"lang": "es", "value": "Nhost es una alternativa de c\u00f3digo abierto a Firebase con GraphQL. Antes de la versi\u00f3n 0.12.0, el gestor de carga de archivos del servicio de almacenamiento conf\u00eda en el encabezado Content-Type proporcionado por el cliente sin realizar detecci\u00f3n de tipo MIME en el servidor. Esto permite a un atacante subir archivos con un tipo MIME arbitrario, eludiendo cualquier restricci\u00f3n basada en el tipo MIME configurada en los buckets de almacenamiento. Este problema ha sido parcheado en la versi\u00f3n 0.12.0."}], "lastModified": "2026-03-23T14:32:02.800", "sourceIdentifier": "security-advisories@github.com"}