CVE-2026-34156 — AI Deep Analysis Summary

🚨 **Essence**: NocoBase Workflow Script Node allows **Remote Code Execution (RCE)**. 📉 **Consequences**: Attackers escape the `vm` sandbox via prototype pollution, gaining full control over the host system.

🛡️ **Root Cause**: **CWE-913** (Improper Control of Dynamically-Managed Code Resources). The `console` object in the Node.js `vm` sandbox leaks `WritableWorkerStdio` streams, enabling prototype chain traversal. 🧬

📦 **Affected**: **NocoBase** (Low-code platform). 📅 **Versions**: All versions **before 2.0.28**. ✅ **Fixed**: Version 2.0.28+.

💀 **Attacker Capabilities**: Achieves **RCE as root**. 🌐 Can execute arbitrary commands, access sensitive data, and pivot to other internal systems. Full system compromise.

🔑 **Threshold**: **Medium**. ⚠️ Requires **Authenticated** access. 🚫 No UI interaction needed (UI:N). Low complexity (AC:L). Network accessible (AV:N).

🔓 **Exploit Status**: **Yes**. Public PoC exists via Nuclei templates. 📂 GitHub Advisory (GHSA-px3p-vgh9-m57c) details the `console._stdout.constructor` exploitation path.

🔍 **Self-Check**: 1. Check NocoBase version (< 2.0.28). 2. Scan for Workflow Script Nodes. 3. Use Nuclei template `CVE-2026-34156.yaml` for automated detection. 🛠️

🩹 **Official Fix**: **Yes**. Upgrade to **NocoBase v2.0.28** or later. 📥 Pull Request #8967 addresses the sandbox leakage issue.

🚧 **No Patch Workaround**: 1. Restrict access to Workflow Script Nodes. 2. Disable unnecessary workflow scripts. 3. Isolate the NocoBase instance from critical networks. 🛑

🔥 **Urgency**: **CRITICAL**. 🚨 CVSS Score: **9.8** (High). Immediate patching required due to RCE potential and low exploitation barrier for authenticated users.