CVE-2026-40346
6.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Summary
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nocobase | @nocobase/plugin-workflow-request | < 2.0.37 | affected |
Weaknesses
- CWE-918: CWE-918: Server-Side Request Forgery (SSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
- https://github.com/nocobase/nocobase/pull/9079
- https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59
- https://github.com/nocobase/nocobase/releases/tag/v2.0.37
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.