{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "2.0.28" } ] }, "events": [ { "introduced": "0" }, { "fixed": "26eefed9f8508759a5981e9e7922896493c1d067" } ], "repo": "https://github.com/nocobase/nocobase", "type": "GIT" } ] } ], "aliases": [ "GHSA-px3p-vgh9-m57c" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-913" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34156.json" }, "details": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.", "id": "CVE-2026-34156", "modified": "2026-04-01T23:09:21.323544475Z", "published": "2026-03-31T13:33:11.325Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34156.json" }, { "type": "FIX", "url": "https://github.com/nocobase/nocobase/pull/8967" }, { "type": "WEB", "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.28" }, { "type": "ADVISORY", "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34156" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node" }