CVE-2026-40346

Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.0.37

Description The workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without protection against Server-Side Request Forgery (SSRF), a flaw where an attacker forces a server to make requests to an unintended location. An authenticated user can access internal network services, localhost, and cloud metadata endpoints, potentially leading to the theft of cloud credentials (such as AWS, GCP, or Azure) or interaction with private services like PostgreSQL and Redis. The issue exists because the url variable is used without validation or filtering of private IP ranges and DNS rebinding protection.

Recommendations Update to version 2.0.37. As a temporary workaround, restrict access to the workflow HTTP request plugin and the custom request action plugin to minimize the risk of exploitation.