CVE-2026-46548
Deferred Deferred - Pending Action

SSRF in NocoDB Notification Webhook Plugins

Vulnerability report for CVE-2026-46548, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts. This vulnerability is fixed in 2026.04.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
nocodb nocodb to 2026.04.1 (inc)
nocodb slack_webhook_plugin *
nocodb discord_webhook_plugin *
nocodb mattermost_webhook_plugin *
nocodb teams_webhook_plugin *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with hook-creation permissions to send outbound POST requests to arbitrary internal hosts, potentially including sensitive internal endpoints such as cloud-metadata services. This SSRF protection bypass could lead to unauthorized data access or exfiltration if verbose logging is enabled.

Such unauthorized access or data leakage risks could impact compliance with data protection regulations like GDPR or HIPAA, which require strict controls over access to sensitive data and systems. However, the provided information does not explicitly state the direct compliance impact or any regulatory violations.

Executive Summary

This vulnerability exists in NocoDB software prior to version 2026.04.1, specifically in the four notification webhook plugins: Slack, Discord, Mattermost, and Teams.

The issue is that the request-filtering-agent SSRF (Server-Side Request Forgery) protection was non-functional because the httpAgent and httpsAgent were incorrectly passed as part of the request body instead of the axios configuration.

As a result, an authenticated user with permission to create hooks could exploit this flaw to send outbound POST requests to arbitrary internal hosts, potentially accessing internal network resources.

This vulnerability was fixed in version 2026.04.1.

Impact Analysis

An attacker who is an authenticated user with hook-creation permissions could exploit this vulnerability to send unauthorized POST requests to internal hosts.

This could allow the attacker to interact with internal network services that are not normally accessible from outside, potentially leading to information disclosure or further attacks within the internal network.

However, the CVSS score indicates a moderate impact with low complexity and limited confidentiality impact.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.04.1 or later, where the SSRF protection in the notification webhook plugins (Slack, Discord, Mattermost, Teams) has been fixed.

Ensure that only authenticated users with hook-creation permissions are allowed to create webhooks, and monitor for any unusual outbound POST requests to internal hosts.

Detection Guidance

This vulnerability can be detected by monitoring for unusual outbound POST requests originating from the NocoDB webhook plugins (Slack, Discord, Mattermost, Teams) to internal or cloud-metadata endpoints such as 169.254.169.254. Since the SSRF protection was bypassed, an authenticated user with hook-creation permissions could create hooks that send requests to arbitrary internal hosts.

To detect exploitation attempts, you can look for outbound POST requests from the NocoDB server to internal IP ranges or metadata service IPs. Additionally, reviewing logs for webhook creation activities by authenticated users may help identify suspicious behavior.

Suggested commands to detect potential exploitation include:

  • Using network monitoring tools like tcpdump or tshark to capture outbound POST requests to internal IPs or 169.254.169.254, for example:
  • tcpdump -i <interface> 'tcp and dst host 169.254.169.254 and tcp[tcpflags] & tcp-push != 0'
  • Or to capture all outbound POST requests to private IP ranges:
  • tcpdump -i <interface> 'tcp and (dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16) and tcp[tcpflags] & tcp-push != 0'
  • Checking application logs for webhook creation events by authenticated users, which might indicate attempts to exploit the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46548. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart