CVE-2026-33221 LOW

CVE-2026-33221: Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload

Vendor Nhost
Product nhost
Weakness CWE-345
Published March 20, 2026
Last update March 25, 2026

CVSS base score

2.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 25, 2026 Record updated

Related vulnerabilities

04Related CVE