CVE-2026-34156

CRITICAL NUCLEI

NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-34156. PoCs published by onurcangencbilkent, adminlove520, Dhananjayasj. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a VM sandbox escape in NocoBase 2.0.27 by leveraging prototype chain traversal to access host-realm objects, bypassing the sandbox, and achieving remote code execution. It includes authentication, vulnerability verification, and payload execution for command injection or reverse shell.

Description

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.

Exploits (5)

exploitdb WORKING POC
by onurcangencbilkent · pythonlocalmultiple
https://www.exploit-db.com/exploits/52552

This exploit demonstrates a VM sandbox escape in NocoBase 2.0.27 by leveraging prototype chain traversal to access host-realm objects, bypassing the sandbox, and achieving remote code execution. It includes authentication, vulnerability verification, and payload execution for command injection or reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NocoBase <= 2.0.27
Auth required
Prerequisites: valid user credentials · workflow access
devstral-2 · analyzed May 08, 2026 Full analysis →
github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-34156

This repository contains a functional exploit for CVE-2026-34156, which leverages a sandbox escape in NocoBase's Workflow Script Node via prototype chain traversal on the `console._stdout` object to achieve remote code execution (RCE) as root. The exploit includes a Python script that authenticates, constructs a malicious payload, and executes arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NocoBase <= 2.0.27
Auth required
Prerequisites: Authenticated user credentials · Access to the `/api/flow_nodes:test` endpoint
devstral-2 · analyzed May 03, 2026 Full analysis →
github WORKING POC
by Dhananjayasj · pythonpoc
https://github.com/Dhananjayasj/CVE-2026-34156-NocoBase-Sandbox-Escape-via-Workflow-Execution-Vulnerability-

This repository contains a functional Python exploit for CVE-2026-34156, which leverages a sandbox escape in NocoBase's workflow engine to achieve remote code execution. The exploit uses a crafted JavaScript payload to bypass the VM sandbox and execute arbitrary commands via the `child_process` module.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NocoBase < 2.0.28
Auth required
Prerequisites: Authenticated user with workflow creation permissions · Access to the NocoBase API endpoints
devstral-2 · analyzed Jun 02, 2026 Full analysis →
nomisec WORKING POC
by franckboumendil · poc
https://github.com/franckboumendil/CVE-2026-34156

This repository contains a functional exploit for CVE-2026-34156, which leverages a sandbox escape in NocoBase's Workflow Script Node via prototype chain traversal on the `console._stdout` object to achieve remote code execution (RCE) as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NocoBase <= 2.0.27
Auth required
Prerequisites: Authenticated user access · Network access to target · Python 3.x with `requests` library
devstral-2 · analyzed Apr 08, 2026 Full analysis →
nomisec WORKING POC
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-34156

This repository contains a functional Python exploit for CVE-2026-34156, which leverages a sandbox escape in NocoBase's Workflow Script Node to achieve remote code execution as root. The exploit uses a classic prototype chain traversal technique to escape the Node.js vm sandbox and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NocoBase < 2.0.28
Auth required
Prerequisites: Authenticated user with workflow creation permissions
devstral-2 · analyzed Apr 08, 2026 Full analysis →

Nuclei Templates (1)

NocoBase - VM Sandbox Escape to Remote Code Execution
CRITICALVERIFIEDby theamanrawat
Shodan: http.title:"NocoBase"
FOFA: body="__nocobase_public_path__"

References (3)

Core 3
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/nocobase/nocobase/pull/8967

Scores

CVSS v3 9.9
EPSS 0.0759
EPSS Percentile 93.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-913
Status published
Products (2)
nocobase/nocobase < 2.0.28 (2 CPE variants)
nocobase/plugin-workflow-javascript 0 - 2.0.28npm
Published Mar 31, 2026
Tracked Since Mar 31, 2026