Exploit for CVE-2026-34156

Name: Exploit for CVE-2026-34156
Rating: 5 (150 reviews)
2026-04-07 | CVSS 9.9
## https://sploitus.com/exploit?id=3D62515B-6454-5989-9FF8-C5AFD1CA0645
\# CVE-2026-34156 — NocoBase Sandbox Escape to RCE



\## Description



NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js `vm` sandbox. The `console` object passed into the sandbox context exposes host-realm `WritableWorkerStdio` stream objects via `console.\_stdout` and `console.\_stderr`.



An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution (RCE) as root.



\## Vulnerability Details



| Field         | Value                                                                |

|---------------|----------------------------------------------------------------------|

| CVE           | CVE-2026-34156                                                       |

| GHSA          | GHSA-px3p-vgh9-m57c                                                  |

| Product       | NocoBase                                                             |

| Affected      |  whoami

\[+] Output:

root



\## Lab Setup (Docker)

```bash

\# Start vulnerable instance

docker run -d \\

&#x20; --name nocobase-vuln \\

&#x20; -p 3000:80 \\

&#x20; -e APP\_KEY=test-key \\

&#x20; -e DB\_DIALECT=sqlite \\

&#x20; nocobase/nocobase:2.0.26



\# Wait \~30 seconds then run the exploit

python3 exploit.py -t http://localhost:3000 -c "id"

```



\## Remediation



\- Upgrade to \*\*NocoBase 2.0.28\*\* or later

\- Replace Node.js `vm` module with `isolated-vm` for true V8 isolate separation

\- Do not pass the host `console` object into the sandbox

\- Run the application as a non-root user inside Docker

\- Restrict `/api/flow\_nodes:test` to admin-only roles



\## References



\- \[GitHub Advisory GHSA-px3p-vgh9-m57c](https://github.com/advisories/GHSA-px3p-vgh9-m57c)

\- \[NocoBase Security Advisory](https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c)

\- \[NVD CVE-2026-34156](https://nvd.nist.gov/vuln/detail/CVE-2026-34156)



\## Credits



\- \*\*Vulnerability discovered by\*\*: Onurcan Genç — Independent Security Researcher, Bilkent University

\- \*\*PoC implementation\*\*: \[Franck Boumendil]



\## Disclaimer



This PoC is provided for \*\*educational and authorized security testing purposes only\*\*.

Only use against systems you own or have explicit written permission to test.

Unauthorized access to computer systems is illegal. The author assumes no liability for misuse.