CVE-2026-46548

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

The request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts.

Details

axios.post(url, data, config) expects connection agents in the third (config) argument. In all four plugins, the agents were placed in the second (data) argument and serialised as JSON body content:

// packages/nocodb/src/plugins/slack/Slack.ts (and Discord / Mattermost / Teams — identical pattern)
return await axios.post(webhook url, {
 text,
 httpAgent: useAgent(webhook url),  // wrong position — serialised, not used
 httpsAgent: useAgent(webhook url),
});

The webhook flow: an Editor+ user creates a webhook with notification.payload.channels[].webhook url pointing to an internal host; on trigger, WebhookInvoker.invoke() calls the plugin's sendMessage() which performs the outbound axios.post with no SSRF filtering applied.

This is distinct from GHSA-xr7v-j379-34v9, which covers a blind SSRF via HEAD in the upload-by-URL path.

Impact

Authenticated user (Editor+) can reach cloud-metadata endpoints (169.254.169.254) and internal services.
Combined with verbose hook logging (NC AUTOMATION LOG LEVEL=ALL), response bodies may be exfiltrated.

Credit

This issue was reported by @ik0z.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2026-46548

GHSA-2C5X-4JGF-88MJ

Affected Products

Nocodb

CVE-2026-46548

Summary

Details

Impact

Credit

Weakness Enumeration

Related Identifiers

Affected Products

References · 3