NocoBase AI Platform Critical RCE via Workflow Script Node (CVE-2026-34156, CVSS 9.9)

CVE-2026-34156 affects NocoBase versions prior to 2.0.28. The vulnerability exists in NocoBase's Workflow Script Node feature, which executes user-supplied JavaScript code on the server without adequate sandboxing or input validation. An attacker with access to the workflow configuration interface can craft malicious JavaScript payloads that execute with server-level privileges, enabling full system compromise, data exfiltration, and lateral movement within the hosting environment. NocoBase is increasingly adopted by enterprises for building internal business applications and workflows, often with access to sensitive databases and internal APIs. The vulnerability was published on March 31, 2026, with a CVSS score of 9.9. Organizations running NocoBase should immediately upgrade to version 2.0.28 or later. If immediate patching is not feasible, disable the Workflow Script Node feature and restrict access to the NocoBase administration interface to trusted users only. Audit workflow configurations for any suspicious or unauthorized script nodes.