CVE-2026-40346

MEDIUM

NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins

Title source: cna

Description

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.

References (4)

Scores

CVSS v4 6.4
EPSS 0.0001
EPSS Percentile 2.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Details

CWE
CWE-918
Status published
Products (1)
nocobase/@nocobase/plugin-workflow-request < 2.0.37
Published Apr 18, 2026
Tracked Since Apr 18, 2026