Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-34156— NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node

CVSS 10.0 · Critical EPSS 27.40% · P96
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-34156

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
Source: NVD (National Vulnerability Database)
Vulnerability Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
动态管理代码资源的控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Nocobase 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Nocobase是NocoBase开源的一个低代码平台。 NocoBase 2.0.28之前版本存在安全漏洞,该漏洞源于工作流脚本节点在Node.js vm沙箱中执行用户提供的JavaScript时,传递给沙箱环境的console对象暴露了主机领域的WritableWorkerStdio流对象,可能导致经过身份验证的攻击者遍历原型链以逃逸沙箱并实现远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
nocobasenocobase < 2.0.28 -

II. Public POCs for CVE-2026-34156

#POC DescriptionSource LinkShenlong Link
1NocoBase Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist controlled by WORKFLOW_SCRIPT_MODULES env var. The console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain (console._stdout.constructor.constructor to Function to process to child_process) to escape the sandbox and achieve Remote Code Execution as root. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-34156.yamlPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-34156

登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: nocobase
Same vendor: nocobase
Same weakness: CWE-913

V. Comments for CVE-2026-34156

No comments yet

Leave a comment