CVE-2026-40346
Received Received - Intake
SSRF Vulnerability in NocoBase Workflow HTTP Request Plugin

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40346
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocobase nocobase to 2.0.37 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoBase, an AI-powered no-code/low-code platform. Prior to version 2.0.37, its workflow HTTP request plugin and custom request action plugin allow authenticated users to make server-side HTTP requests to user-provided URLs without any Server-Side Request Forgery (SSRF) protection.

Because of this lack of SSRF protection, an authenticated user can exploit the system to access internal network services, cloud metadata endpoints, and localhost resources that should normally be protected.

This issue was fixed in version 2.0.37 by adding appropriate protections.

Impact Analysis

The vulnerability allows an authenticated user to perform unauthorized server-side HTTP requests to internal network services and sensitive endpoints such as cloud metadata services and localhost.

This can lead to unauthorized access to sensitive internal resources, potential data leakage, and could be leveraged to further compromise the internal network or cloud infrastructure.

Mitigation Strategies

To mitigate this vulnerability, upgrade NocoBase to version 2.0.37 or later, which contains a patch addressing the SSRF issue in the workflow HTTP request plugin and custom request action plugin.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart