Critical VM Sandbox Escape in NocoBase 2.0.27 Allows Root RCE via Workflow Scripts

Critical VM Sandbox Escape in NocoBase 2.0.27 Allows Root RCE via Workflow Scripts

What Happened — A newly disclosed vulnerability (CVE‑2026‑34156) in NocoBase 2.0.27’s “Workflow Script” node lets an attacker break out of the Node.js vm sandbox and execute arbitrary commands as root. The flaw stems from an unsafe console object that exposes host‑realm streams, enabling prototype‑chain hijacking to load child_process.

Why It Matters for TPRM —

• The exploit grants full system compromise on any container or host running a vulnerable NocoBase instance.
• Attackers need only a legitimate workflow user account, a common scenario in multi‑tenant SaaS environments.
• The vulnerability scores 9.9 CVSS 3.1, placing it in the “Critical” tier and demanding immediate remediation.

Who Is Affected — Low‑code/no‑code platform providers, SaaS vendors that embed NocoBase, and their downstream customers (tech, fintech, health‑tech, etc.).

Recommended Actions —

• Verify that all NocoBase deployments are upgraded to 2.0.28 or later.
• Review IAM policies: limit workflow script access to the minimum required users.
• Conduct penetration testing of sandboxed execution environments.
• Monitor logs for suspicious process.mainModule.require or child_process.execSync calls.

Technical Notes — The attack leverages prototype‑chain traversal (console._stdout.constructor.constructor) to obtain the host‑realm Function constructor, then calls process.mainModule.require('child_process') to execute commands as root. CVE‑2026‑34156 (CWE‑913) carries a CVSS 3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Exploit requires valid credentials with workflow access. Source: Exploit‑DB 52552