CVE-2026-34156: NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node

March 30, 2026

## Summary

NocoBase’s Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr.

An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution (RCE) as root.

References

github.com/advisories/GHSA-px3p-vgh9-m57c
github.com/nocobase/nocobase
github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c
nvd.nist.gov/vuln/detail/CVE-2026-34156

Code Behaviors & Features

Detect and mitigate CVE-2026-34156 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →