CVE-2026-33221
CWE-343Published: March 20, 2026· Updated: Mar 23, 2026
Official Description
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.
Technical Analysis
CVE-2026-33221 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (A) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (4)
Quick Facts
Related CVEs (CWE-343)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-33221 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts