CVE-2026-46548
Received Received - Intake
SSRF in NocoDB Notification Webhook Plugins

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts. This vulnerability is fixed in 2026.04.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-46548
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
nocodb nocodb to 2026.04.1 (inc)
nocodb slack_webhook_plugin *
nocodb discord_webhook_plugin *
nocodb mattermost_webhook_plugin *
nocodb teams_webhook_plugin *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoDB software prior to version 2026.04.1, specifically in the four notification webhook plugins: Slack, Discord, Mattermost, and Teams.

The issue is that the request-filtering-agent SSRF (Server-Side Request Forgery) protection was non-functional because the httpAgent and httpsAgent were incorrectly passed as part of the request body instead of the axios configuration.

As a result, an authenticated user with permission to create hooks could exploit this flaw to send outbound POST requests to arbitrary internal hosts, potentially accessing internal network resources.

This vulnerability was fixed in version 2026.04.1.

Impact Analysis

An attacker who is an authenticated user with hook-creation permissions could exploit this vulnerability to send unauthorized POST requests to internal hosts.

This could allow the attacker to interact with internal network services that are not normally accessible from outside, potentially leading to information disclosure or further attacks within the internal network.

However, the CVSS score indicates a moderate impact with low complexity and limited confidentiality impact.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.04.1 or later, where the SSRF protection in the notification webhook plugins (Slack, Discord, Mattermost, Teams) has been fixed.

Ensure that only authenticated users with hook-creation permissions are allowed to create webhooks, and monitor for any unusual outbound POST requests to internal hosts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46548. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart