CVE-2026-34156 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: March 31, 2026
NocoBase - Sandbox Escape to Remote Code Execution
Overview
NocoBase Workflow Script Node executes user-supplied JavaScript in a Node.js vm sandbox with a custom require allowlist. An authenticated attacker can escape the sandbox via prototype chain traversal to achieve remote code execution as root.
Severity & Score
Mitigation
Upgrade to NocoBase version 2.0.28 or later. Replace Node.js vm module with isolated-vm for true V8 isolate separation. Do not pass the host console object into the sandbox. Run the application as a non-root user inside Docker. Restrict /api/flow_nodes:test to admin-only roles.
References
Social Media Activity(2 posts)
š“ CVE-2026-34156 - Critical (9.9) NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom r... š https://www.thehackerwire.com/vulnerability/CVE-2026-34156/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-34156 - Critical (9.9) NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom r... š https://www.thehackerwire.com/vulnerability/CVE-2026-34156/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-34156
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- sandbox_escape
- Status
- new
- EPSS
- 0.0%
- Nuclei
- Available
- Social Posts
- 2
CWE
- CWE-913
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H