NocoBase RCE (CVE-2026-34156) [PoC]

Overview

A critical sandbox escape vulnerability, tracked as CVE-2026-34156, affects the NocoBase no-code/low-code platform. The flaw resides in the platform’s Workflow Script Node, which is designed to execute user-supplied JavaScript in a sandboxed environment. This sandbox was insufficiently isolated, allowing authenticated users to break out and execute arbitrary commands on the underlying host server with root privileges.

Technical Details

NocoBase versions prior to 2.0.28 execute user JavaScript within a Node.js vm sandbox. While the system used an allowlist for required modules, the console object passed into the sandbox context contained a critical oversight. It exposed host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An attacker could leverage these exposed objects to traverse the prototype chain, bypass the sandbox restrictions, and gain direct access to the host Node.js environment. The attack complexity is low, requires no user interaction, and can be performed over the network by any authenticated user.

Impact

The impact of this vulnerability is severe. A successful exploitation results in full Remote Code Execution (RCE) on the server hosting the NocoBase application, with the attacker gaining root-level privileges. This allows complete compromise of the server, enabling data theft, deployment of ransomware, or use as a foothold for lateral movement within a corporate network. Given NocoBase’s use in building business applications, compromised instances could expose sensitive enterprise data and critical internal workflows. For context on the damage caused by server compromises, recent incidents are detailed in our breach reports.

Remediation and Mitigation

The primary and mandatory action is to immediately upgrade NocoBase to version 2.0.28 or later, which contains the patch. There is no effective workaround for this vulnerability. Organizations should:

1. Patch Immediately: Upgrade all affected NocoBase instances to version 2.0.28+ without delay.
2. Audit Access: Review logs for any unusual activity in workflow scripts prior to patching.
3. Principle of Least Privilege: Ensure NocoBase application accounts and the underlying server OS accounts operate with minimal necessary permissions, even though the root-level exploit bypasses this at the OS layer post-compromise.

Stay informed on the latest vulnerability disclosures by following our security news.

Security Insight

This vulnerability highlights the persistent challenge of securely sandboxing user code, especially in low-code platforms that inherently grant users higher levels of system interaction. It echoes historical Node.js vm sandbox escapes, demonstrating that custom security wrappers often reintroduce risk if not meticulously audited. The flaw’s presence in a core feature like the Workflow Script Node suggests a need for more rigorous security review of the platform’s extensibility mechanisms.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs