Server-Side Request Forgery Vulnerability in NocoBase by NocoBase
CVE-2026-40346

6.4MEDIUM

Key Information:

Vendor

Nocobase

Status
@nocobase/plugin-workflow-request
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40346?

NocoBase, an AI-powered no-code/low-code platform, had a security issue where its workflow and custom request action plugins could send server-side HTTP requests to user-defined URLs without adequate SSRF protection. This flaw allows authenticated users to potentially access internal network services and sensitive cloud metadata endpoints. The issue has been addressed in version 2.0.37, which includes necessary patches to fortify security.

Affected Version(s)

@nocobase/plugin-workflow-request < 2.0.37

References

https://github.com/nocobase/nocobase/security/advisories/...
x_refsource_CONFIRM
https://github.com/nocobase/nocobase/pull/9079
x_refsource_MISC
https://github.com/nocobase/nocobase/commit/2853368243ed0...
x_refsource_MISC

CVSS V4

Score:
6.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.