CVE-2026-33221: Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload
(updated )
The storage service’s file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.
References
- github.com/advisories/GHSA-g9f6-9775-hffm
- github.com/nhost/nhost
- github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85
- github.com/nhost/nhost/pull/4018
- github.com/nhost/nhost/releases/tag/storage@0.12.0
- github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm
- nvd.nist.gov/vuln/detail/CVE-2026-33221
Code Behaviors & Features
Detect and mitigate CVE-2026-33221 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →