CVE-2026-33221 | THREATINT

Description

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-20 | Updated 2026-03-25 | Assigner GitHub_M

LOW: 2.1CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-345: Insufficient Verification of Data Authenticity

CWE-343: Predictable Value Range from Previous Values

Product status

< 0.12.0

affected

References

github.com/.../nhost/security/advisories/GHSA-g9f6-9775-hffm

github.com/nhost/nhost/pull/4018

github.com/...ommit/c4bd53f042d7f568e567e18e2665af81660fce85

github.com/nhost/nhost/releases/tag/storage@0.12.0

cve.org (CVE-2026-33221)

nvd.nist.gov (CVE-2026-33221)

Download JSON