Back to search
CVE-2026-40346
Published: Apr 17, 2026
Modified: Apr 20, 2026
PUBLISHED
Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
| Vendor | Product | Versions |
|---|---|---|
nocobase | @nocobase/plugin-workflow-request | affected < 2.0.37 |
Weaknesses (CWE)
References
https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
x_refsource_CONFIRM
https://github.com/nocobase/nocobase/pull/9079
x_refsource_MISC
https://github.com/nocobase/nocobase/releases/tag/v2.0.37
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now