CVE-2026-58468
Received Received - Intake

Server-Side Request Forgery in NocoBase

Vulnerability report for CVE-2026-58468, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: VulnCheck

Description

NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Attackers can target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. v2.1.18 added a warning message for when SERVER_REQUEST_WHITELIST is not configured.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
nocobase nocobase to 2.1.20 (inc)
nocobase nocobase to 2.1.18 (inc)
nocobase nocobase to 2.0.55 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58468 is a Server-Side Request Forgery (SSRF) vulnerability in NocoBase versions through 2.1.20. It exists in the serverRequest wrapper, which is used by workflow request nodes, custom request action buttons, and the AI plugin. Authenticated administrators can exploit this vulnerability by supplying malicious URLs that cause the server to make arbitrary outbound HTTP requests.

Because the SERVER_REQUEST_WHITELIST environment variable is not configured by default, outbound HTTP requests are unrestricted. This allows attackers to target internal network addresses such as loopback, RFC-1918 private ranges, and cloud instance metadata endpoints.

Exploitation can lead to internal network port enumeration, host discovery, and theft of IAM role credentials from cloud metadata services, potentially compromising cloud accounts.

Impact Analysis

This vulnerability can have several impacts if exploited:

  • Attackers with administrator access can perform internal network port scanning and host discovery.
  • They can access sensitive cloud instance metadata endpoints, potentially stealing IAM role credentials.
  • Credential theft can lead to full compromise of cloud accounts and associated resources.
  • Unrestricted outbound HTTP requests can expose internal network structure and services to attackers.
Detection Guidance

Detection of this SSRF vulnerability involves monitoring for unusual outbound HTTP requests initiated by authenticated administrators through workflow request nodes, custom request buttons, or the AI plugin. Specifically, look for POST requests to the endpoint /api/flow_nodes:test with URLs targeting internal IP ranges such as loopback addresses (127.0.0.1), RFC-1918 private ranges, or cloud metadata service IPs (e.g., 169.254.169.254).

Since the vulnerability allows arbitrary outbound HTTP requests, network monitoring tools or web server logs can be used to detect suspicious requests. Commands to check logs or monitor network traffic might include:

  • Using grep to find suspicious POST requests in server logs: grep "/api/flow_nodes:test" /path/to/nocobase/logs/access.log
  • Using tcpdump or similar to monitor outbound HTTP requests to internal IP ranges: sudo tcpdump -i any tcp and dst net 127.0.0.0/8 or dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16
  • Checking for warning logs related to SSRF risk if SERVER_REQUEST_WHITELIST is not configured, as the system logs warnings for requests targeting risky internal or metadata addresses.
Mitigation Strategies

Immediate mitigation steps include configuring the SERVER_REQUEST_WHITELIST environment variable to restrict outbound HTTP requests only to trusted domains or IP ranges. This whitelist blocks requests to loopback, private, link-local, and cloud metadata addresses by default, preventing exploitation of the SSRF vulnerability.

If you rely on internal services, explicitly add their IPs or domains to the whitelist to avoid disruption. Additionally, update NocoBase to a version that includes the patch or apply the relevant pull request that introduces these restrictions and warning mechanisms.

Other recommended actions include monitoring logs for SSRF warning messages, restricting administrator access to trusted users only, and reviewing workflow nodes, custom request buttons, and AI plugin configurations to ensure they do not accept untrusted URLs.

Compliance Impact

The vulnerability allows authenticated administrators to perform Server-Side Request Forgery (SSRF), enabling them to send arbitrary outbound HTTP requests to internal network addresses and cloud metadata endpoints.

This can lead to internal network port enumeration, host discovery, and theft of IAM role credentials from cloud instance metadata services, potentially resulting in unauthorized access to sensitive data or cloud resources.

Such unauthorized access and potential data exposure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information and mandate strict access controls and data security measures.

Therefore, exploitation of this vulnerability may lead to violations of these regulations due to compromised confidentiality and integrity of protected data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58468. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart