CVE-2026-34156 Overview
CVE-2026-34156 is a critical Remote Code Execution (RCE) vulnerability affecting NocoBase, an AI-powered no-code/low-code platform used for building business applications and enterprise solutions. The vulnerability exists in the Workflow Script Node component, which executes user-supplied JavaScript inside a Node.js vm sandbox. Due to improper isolation of the console object passed into the sandbox context, an authenticated attacker can escape the sandbox and execute arbitrary code with root privileges on the underlying host system.
Critical Impact
Authenticated attackers can achieve complete system compromise by escaping the Node.js VM sandbox and executing arbitrary commands as root, potentially leading to full control of the NocoBase server and any connected systems.
Affected Products
- NocoBase versions prior to 2.0.28
- NocoBase installations utilizing the Workflow Script Node feature
- Systems with custom WORKFLOW_SCRIPT_MODULES environment variable configurations
Discovery Timeline
- 2026-03-31 - CVE-2026-34156 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34156
Vulnerability Analysis
This vulnerability is classified under CWE-913 (Improper Control of Dynamically-Managed Code Resources). The flaw resides in how NocoBase's Workflow Script Node implements JavaScript sandboxing for user-supplied code execution.
NocoBase uses a Node.js vm sandbox with a custom require allowlist controlled by the WORKFLOW_SCRIPT_MODULES environment variable. While this configuration attempts to restrict which modules can be imported, the implementation fails to properly sanitize the console object that is passed into the sandbox context.
The exposed console object inadvertently provides access to host-realm WritableWorkerStdio stream objects through the console._stdout and console._stderr properties. An authenticated attacker can traverse the prototype chain from these exposed objects to gain access to the host's execution context, effectively escaping the sandbox entirely.
Once the sandbox is escaped, the attacker can execute arbitrary JavaScript code in the host Node.js process. Given that NocoBase often runs with elevated privileges, this can result in command execution as root, leading to complete system compromise.
Root Cause
The root cause is improper isolation of the console object within the VM sandbox. When the sandbox was constructed, the console object was passed directly from the host context without stripping or proxying sensitive internal properties. The _stdout and _stderr properties expose WritableWorkerStdio stream objects that maintain references to the host realm's object hierarchy. By traversing the prototype chain through these stream objects, an attacker can access constructors and functions from outside the sandbox, enabling arbitrary code execution.
Attack Vector
The attack requires authenticated access to the NocoBase platform with permissions to create or modify Workflow Script Nodes. An attacker crafts a malicious JavaScript payload designed to:
- Access the console._stdout or console._stderr properties within the sandbox
- Traverse the prototype chain through the WritableWorkerStdio stream object
- Reach host-realm constructors or functions (such as process, require, or native modules)
- Execute arbitrary system commands with the privileges of the Node.js process
The exploitation is performed over the network through legitimate NocoBase workflow interfaces. Since the Node.js process commonly runs as root in containerized deployments, successful exploitation grants the attacker root-level access to the host system.
The exploitation technique leverages standard JavaScript prototype chain manipulation. For detailed technical analysis and the specific code paths involved, refer to the GitHub Security Advisory GHSA-px3p-vgh9-m57c.
Detection Methods for CVE-2026-34156
Indicators of Compromise
- Unexpected workflow script executions containing references to console._stdout, console._stderr, or prototype chain traversal patterns
- Unusual process spawning from the NocoBase Node.js process, particularly shell commands or system utilities
- Log entries showing workflow scripts accessing internal Node.js objects or attempting to load non-allowlisted modules
- Evidence of privilege escalation or lateral movement originating from the NocoBase server
Detection Strategies
- Implement runtime monitoring for JavaScript code accessing _stdout, _stderr, __proto__, constructor, or prototype properties within workflow scripts
- Deploy application-level logging to capture and alert on workflow script content containing sandbox escape patterns
- Configure host-based intrusion detection to monitor for unexpected child processes spawned by Node.js
- Utilize SentinelOne Singularity Platform behavioral AI to detect anomalous process execution chains originating from web application contexts
Monitoring Recommendations
- Enable verbose logging for NocoBase Workflow Script Node executions and review for suspicious patterns
- Monitor network connections initiated by the NocoBase server for command-and-control or data exfiltration activity
- Implement file integrity monitoring on critical system files and NocoBase configuration directories
- Set up alerts for any modifications to the WORKFLOW_SCRIPT_MODULES environment variable or related security configurations
How to Mitigate CVE-2026-34156
Immediate Actions Required
- Upgrade NocoBase to version 2.0.28 or later immediately to remediate this vulnerability
- Audit all existing workflow scripts for potentially malicious code patterns involving prototype chain traversal
- Review user accounts with permissions to create or modify Workflow Script Nodes and revoke unnecessary access
- Implement network segmentation to limit the blast radius of potential compromise from the NocoBase server
Patch Information
NocoBase has released version 2.0.28 which addresses this sandbox escape vulnerability. The fix properly isolates the console object and prevents access to host-realm stream objects from within the sandbox context.
Patch resources:
Workarounds
- Disable the Workflow Script Node feature entirely until the patch can be applied
- Restrict access to workflow creation and modification to only highly trusted administrators
- Run the NocoBase Node.js process with minimal privileges (non-root user) to limit the impact of potential exploitation
- Implement additional application-layer filtering to block workflow scripts containing suspicious keywords like _stdout, _stderr, __proto__, or constructor
# Configuration example
# Run NocoBase as non-root user to minimize impact
# Create a dedicated service account
useradd -r -s /bin/false nocobase
# Change ownership of NocoBase installation
chown -R nocobase:nocobase /opt/nocobase
# Update systemd service to run as nocobase user
# Edit /etc/systemd/system/nocobase.service
# [Service]
# User=nocobase
# Group=nocobase
# Restrict WORKFLOW_SCRIPT_MODULES environment variable
export WORKFLOW_SCRIPT_MODULES=""
# Reload and restart service
systemctl daemon-reload
systemctl restart nocobase
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
