Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-6224

CVE-2026-6224: NocoBase Workflow JavaScript RCE Flaw

CVE-2026-6224 is a remote code execution vulnerability in NocoBase plugin-workflow-javascript up to version 2.0.23 caused by a sandbox escape flaw. This article covers the technical details, affected versions, and mitigation strategies.

Updated:

CVE-2026-6224 Overview

CVE-2026-6224 is a sandbox escape vulnerability in the NocoBase plugin-workflow-javascript component up to version 2.0.23. The flaw resides in the createSafeConsole function inside packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Attackers can manipulate the sandboxed JavaScript execution context to break out of its intended boundaries. The vulnerability is remotely exploitable and a public exploit has been disclosed. According to the disclosure, the vendor was contacted but did not respond. The weakness is classified under CWE-264: Permissions, Privileges, and Access Controls.

Critical Impact

Remote attackers can escape the JavaScript workflow sandbox in NocoBase, potentially affecting confidentiality, integrity, and availability of the host workflow process.

Affected Products

  • NocoBase plugin-workflow-javascript versions up to and including 2.0.23
  • NocoBase deployments using the JavaScript workflow plugin
  • Self-hosted NocoBase instances running the vulnerable workflow component

Discovery Timeline

  • 2026-04-13 - CVE-2026-6224 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-6224

Vulnerability Analysis

The vulnerability stems from unsafe construction of a sandboxed console object within the NocoBase JavaScript workflow plugin. The createSafeConsole function in Vm.js is intended to provide a restricted console implementation for user-supplied workflow scripts. However, the function exposes object references that retain access to the outer runtime context.

A remote actor with the ability to submit or trigger a JavaScript workflow can traverse these references to reach host objects outside the virtual machine boundary. Once outside the sandbox, the attacker can execute logic that the workflow engine was designed to isolate. The disclosure indicates a public proof of concept is available, which lowers the barrier for opportunistic exploitation.

Root Cause

The root cause is improper isolation between the script execution context and the surrounding Node.js runtime. The createSafeConsole helper returns object accessors that, when manipulated, leak prototypes or function references from the parent realm. This violates the access control assumptions of the workflow plugin and aligns with the [CWE-264] permissions and privileges weakness category.

Attack Vector

The attack vector is network-based and does not require privileges or user interaction in the CVSS 4.0 vector. An attacker who can author or influence a JavaScript workflow definition supplies a payload that exercises the unsafe console object. Triggering the workflow runs the payload inside the vulnerable VM, allowing the sandbox escape to occur on the server. Refer to the GitHub CVE Draft Document for the technical write-up.

Detection Methods for CVE-2026-6224

Indicators of Compromise

  • Unexpected child processes spawned by the NocoBase Node.js server process
  • Workflow definitions containing references to console.constructor, process, or prototype chain traversal patterns
  • Outbound network connections initiated from the workflow runtime to unfamiliar hosts
  • Modifications to files outside the workflow plugin directory by the NocoBase service account

Detection Strategies

  • Inspect stored JavaScript workflow scripts for sandbox-escape patterns such as access to arguments.callee, Function.constructor, or prototype walking from the console object
  • Enable verbose logging on the workflow plugin and review executions that produce runtime errors referencing internal modules
  • Compare the installed plugin-workflow-javascript version against 2.0.23 across all NocoBase instances

Monitoring Recommendations

  • Monitor the NocoBase host for anomalous process creation, file writes, and outbound connections originating from the Node.js runtime
  • Alert on creation or modification of workflow definitions by non-administrative accounts
  • Forward application and process telemetry to a centralized analytics platform for correlation across hosts

How to Mitigate CVE-2026-6224

Immediate Actions Required

  • Restrict access to the workflow administration interface to trusted administrators only
  • Audit existing JavaScript workflow definitions and remove any submitted by untrusted users
  • Isolate the NocoBase application server with strict egress firewall rules until a patch is applied
  • Review references such as the VulDB Vulnerability #357142 entry for updated guidance

Patch Information

At the time of NVD publication, no vendor patch is referenced in the advisory. The vendor was contacted prior to disclosure but did not respond, according to the VulDB submission. Operators should track the NocoBase project repository for fixed releases above version 2.0.23 and apply them as soon as available.

Workarounds

  • Disable the plugin-workflow-javascript plugin if JavaScript workflows are not required for business operations
  • Enforce role-based access control so that only vetted administrators can create or modify workflow scripts
  • Run the NocoBase service under a dedicated low-privilege account with minimal filesystem and network permissions
  • Place the NocoBase deployment behind a reverse proxy that authenticates all access to workflow management endpoints

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne