CVE-2026-40346
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
References & Resources
-
https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59security-advisories@github.com
-
https://github.com/nocobase/nocobase/pull/9079security-advisories@github.com
-
https://github.com/nocobase/nocobase/releases/tag/v2.0.37security-advisories@github.com
-
https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwpsecurity-advisories@github.com
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-918
Top 25 #20
Server-Side Request Forgery (SSRF)
- Description
- The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
- Typical Severity
- Medium
- OWASP Top 10
- A10:2021-Server-Side Request Forgery (SSRF)
- Abstraction Level
- Base
Key Information
- Published Date
- April 18, 2026
