CVE-2026-33221
Analyzed Analyzed - Analysis Complete
MIME Type Spoofing in Nhost Storage Allows Upload Bypass

Publication date: 2026-03-20

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-06-03
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33221
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nhost storage to 0.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-343 The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Nhost, an open source Firebase alternative with GraphQL, specifically in versions prior to 0.12.0. The issue is that the storage service's file upload handler trusts the Content-Type header provided by the client without verifying the actual MIME type of the uploaded file on the server side.

Because of this, an attacker can upload files with arbitrary MIME types, effectively bypassing any MIME-type-based restrictions that are configured on storage buckets. This could allow unauthorized or potentially harmful files to be stored.

This vulnerability was fixed in version 0.12.0 of Nhost.

Impact Analysis

The vulnerability allows attackers to upload files with arbitrary MIME types, bypassing MIME-type-based restrictions on storage buckets.

This can lead to unauthorized storage of malicious or inappropriate files, potentially compromising the security or integrity of the storage system.

Depending on how the stored files are used or served, this could lead to further security issues such as execution of malicious code, data corruption, or exposure to harmful content.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the Nhost storage service to version 0.12.0 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33221. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart