CVE-2026-33221 Overview
Nhost, an open source Firebase alternative with GraphQL, contains a MIME type validation bypass vulnerability in its storage service. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.
Critical Impact
Attackers can bypass MIME-type-based upload restrictions to store potentially malicious files by spoofing the Content-Type header during file uploads.
Affected Products
- Nhost Storage Service versions prior to 0.12.0
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33221 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33221
Vulnerability Analysis
This vulnerability stems from a fundamental input validation flaw (CWE-343: Predictable Value Range from Previous Values) in the Nhost storage service's file upload handler. The service accepts the Content-Type header provided by the client at face value without performing any server-side validation or MIME type detection on the actual file contents.
When an administrator configures bucket restrictions to only allow certain file types (e.g., images), the restriction becomes ineffective because an attacker can simply set any desired Content-Type header in their upload request while sending malicious content. For example, an attacker could upload an executable file while claiming it has a Content-Type of image/png, completely bypassing the intended security controls.
Root Cause
The root cause is the absence of server-side MIME type detection in the file upload workflow. The storage service relies solely on client-provided metadata to determine file types, violating the security principle of never trusting client input. The upload handler in services/storage/controller/upload_files.go accepted the Content-Type header without cross-referencing the actual file content.
Attack Vector
The attack vector is network-based, requiring an attacker to craft a malicious HTTP multipart file upload request. The attacker manipulates the Content-Type header to match an allowed MIME type while the request body contains disallowed content. This requires no special privileges but does require user interaction through the upload interface. The attack complexity is considered high due to the specific conditions required for exploitation.
The exploitation flow involves:
- Identifying a Nhost instance with MIME-type restrictions on storage buckets
- Crafting a multipart upload request with a spoofed Content-Type header
- Sending malicious file content that would normally be blocked by bucket restrictions
- The file is accepted and stored despite violating the configured restrictions
Detection Methods for CVE-2026-33221
Indicators of Compromise
- File uploads where the stored MIME type does not match the actual file content signature
- Storage buckets containing unexpected file types that should have been blocked by configuration
- Upload logs showing files that passed MIME restrictions but have suspicious file signatures upon inspection
Detection Strategies
- Implement file signature (magic byte) analysis to detect mismatches between declared and actual file types
- Monitor storage bucket contents for files that violate configured MIME restrictions
- Review upload access logs for patterns of users uploading files with unusual or mismatched content types
Monitoring Recommendations
- Enable detailed logging for file upload operations including both declared and detected MIME types
- Set up alerts for storage bucket integrity violations where file contents don't match stored metadata
- Perform periodic audits of stored files to verify MIME type consistency
How to Mitigate CVE-2026-33221
Immediate Actions Required
- Upgrade Nhost storage service to version 0.12.0 or later immediately
- Audit existing storage buckets for files that may have bypassed MIME restrictions
- Review and validate any files uploaded prior to the patch to ensure they match expected types
Patch Information
The vulnerability has been patched in Nhost storage version 0.12.0. The fix implements server-side MIME type detection for all file uploads, ensuring that file content is analyzed regardless of the client-provided Content-Type header.
The patch adds proper MIME detection by importing the io package and implementing content-based file type detection:
"context"
"encoding/json"
"fmt"
+ "io"
"log/slog"
"mime/multipart"
"net/http"
Source: GitHub Commit Update
For additional details, see the GitHub Security Advisory GHSA-g9f6-9775-hffm and the GitHub Release Notes 0.12.0.
Workarounds
- If upgrading is not immediately possible, implement a reverse proxy or WAF rule that performs server-side MIME detection before forwarding requests to the storage service
- Consider temporarily restricting file upload functionality to trusted users until the patch can be applied
- Implement additional application-layer validation that checks file magic bytes against declared MIME types
# Verify current Nhost storage version
nhost version
# Upgrade to patched version
nhost upgrade storage@0.12.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
