{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33221", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-03-20T23:00:18.342Z", "dateUpdated": "2026-03-25T13:44:43.741Z"}, "containers": {"cna": {"title": "Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-343", "lang": "en", "description": "CWE-343: Predictable Value Range from Previous Values", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm"}, {"name": "https://github.com/nhost/nhost/pull/4018", "tags": ["x_refsource_MISC"], "url": "https://github.com/nhost/nhost/pull/4018"}, {"name": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85", "tags": ["x_refsource_MISC"], "url": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85"}, {"name": "https://github.com/nhost/nhost/releases/tag/storage%400.12.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/nhost/nhost/releases/tag/storage%400.12.0"}], "affected": [{"vendor": "nhost", "product": "nhost", "versions": [{"version": "< 0.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T23:00:18.342Z"}, "descriptions": [{"lang": "en", "value": "Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0."}], "source": {"advisory": "GHSA-g9f6-9775-hffm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:44:34.920197Z", "id": "CVE-2026-33221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:44:43.741Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33221", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-03-20T23:00:18.342Z", "dateUpdated": "2026-03-25T13:44:43.741Z"}, "containers": {"cna": {"title": "Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-343", "lang": "en", "description": "CWE-343: Predictable Value Range from Previous Values", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm"}, {"name": "https://github.com/nhost/nhost/pull/4018", "tags": ["x_refsource_MISC"], "url": "https://github.com/nhost/nhost/pull/4018"}, {"name": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85", "tags": ["x_refsource_MISC"], "url": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85"}, {"name": "https://github.com/nhost/nhost/releases/tag/storage%400.12.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/nhost/nhost/releases/tag/storage%400.12.0"}], "affected": [{"vendor": "nhost", "product": "nhost", "versions": [{"version": "< 0.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T23:00:18.342Z"}, "descriptions": [{"lang": "en", "value": "Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0."}], "source": {"advisory": "GHSA-g9f6-9775-hffm", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33221", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:44:34.920197Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:44:39.141Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0."}], "id": "CVE-2026-33221", "lastModified": "2026-03-23T14:32:02.800", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T23:16:46.163", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85"}, {"source": "security-advisories@github.com", "url": "https://github.com/nhost/nhost/pull/4018"}, {"source": "security-advisories@github.com", "url": "https://github.com/nhost/nhost/releases/tag/storage%400.12.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-343"}, {"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.12.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "nhost", "vendor": "nhost"}], "analysis": {"en": {"generated_at": "2026-03-21T07:39:08.391663+00:00", "value": {"mitigation_remediation": ["Upgrade the Nhost storage component to version 0.12.0 or later to apply the fix."], "summary": {"action": "Patch", "impact": "MIME Type Spoofing"}, "threat_synthesis": {"affected_systems": "The flaw affects Nhost\u2019s storage component in all releases prior to version 0.12.0. Any deployment of the Nhost storage service that has not applied the 0.12.0 update is vulnerable.\n", "description_and_impact": "The vulnerability stems from the storage service accepting the client\u2011provided Content\u2011Type header without any server\u2011side MIME type validation. As a result an attacker can send a file where the declared MIME type differs from the actual content, allowing the upload of files that bypass any MIME\u2011type restrictions that have been configured on storage buckets. This could lead to the storage of disallowed or potentially malicious files, compromising data integrity or exposure.\n", "risk_and_exploitability": "The CVSS score is 2.1, indicating low severity. No EPSS data is provided, and the vulnerability is not in the CISA KEV catalog. The likely attack vector is a remote file\u2011upload request sent to the storage API; this is inferred based on the nature of the service. While the flaw does not enable remote code execution, it does allow authenticated clients to bypass policy controls, potentially compromising stored data.\n"}}}}, "created": "2026-03-23T09:51:55.893370+00:00", "updated": "2026-03-25T14:33:55.394894+00:00", "vendors": ["nhost", "nhost$PRODUCT$nhost"]}