CVE-2026-40346
SSRF Vulnerability in NocoBase Workflow HTTP Request Plugin
Publication date: 2026-04-18
Last updated on: 2026-04-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocobase | nocobase | to 2.0.37 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in NocoBase, an AI-powered no-code/low-code platform. Prior to version 2.0.37, its workflow HTTP request plugin and custom request action plugin allow authenticated users to make server-side HTTP requests to user-provided URLs without any Server-Side Request Forgery (SSRF) protection.
Because of this lack of SSRF protection, an authenticated user can exploit the system to access internal network services, cloud metadata endpoints, and localhost resources that should normally be protected.
This issue was fixed in version 2.0.37 by adding appropriate protections.
How can this vulnerability impact me? :
The vulnerability allows an authenticated user to perform unauthorized server-side HTTP requests to internal network services and sensitive endpoints such as cloud metadata services and localhost.
This can lead to unauthorized access to sensitive internal resources, potential data leakage, and could be leveraged to further compromise the internal network or cloud infrastructure.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade NocoBase to version 2.0.37 or later, which contains a patch addressing the SSRF issue in the workflow HTTP request plugin and custom request action plugin.