CVE-2026-33221
Received Received - Intake
MIME Type Spoofing in Nhost Storage Allows Upload Bypass

Publication date: 2026-03-20

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-20
Generated
2026-05-07
AI Q&A
2026-03-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33221
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nhost nhost to 0.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-343 The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Nhost, an open source Firebase alternative with GraphQL, specifically in versions prior to 0.12.0. The issue is that the storage service's file upload handler trusts the Content-Type header provided by the client without verifying the actual MIME type of the uploaded file on the server side.

Because of this, an attacker can upload files with arbitrary MIME types, effectively bypassing any MIME-type-based restrictions that are configured on storage buckets. This could allow unauthorized or potentially harmful files to be stored.

This vulnerability was fixed in version 0.12.0 of Nhost.


How can this vulnerability impact me? :

The vulnerability allows attackers to upload files with arbitrary MIME types, bypassing MIME-type-based restrictions on storage buckets.

This can lead to unauthorized storage of malicious or inappropriate files, potentially compromising the security or integrity of the storage system.

Depending on how the stored files are used or served, this could lead to further security issues such as execution of malicious code, data corruption, or exposure to harmful content.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade the Nhost storage service to version 0.12.0 or later, where the issue has been patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart