PT-2026-56236 · Nocobase · Nocobase

George Chen

·

Publicado

2026-07-07

·

Atualizado

2026-07-07

·

CVE-2026-58468

CVSS v3.1

5.5

Média

VetorAV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Attackers can target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. v2.1.18 added a warning message for when SERVER REQUEST WHITELIST is not configured.

Exploit

Correção

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-58468

Produtos afetados

Nocobase