CVE-2026-33221

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Mar 20, 2026

Vendor unknown

Description

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.

References

https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85
https://github.com/nhost/nhost/pull/4018
https://github.com/nhost/nhost/releases/tag/storage%400.12.0
https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm