Server-Side Request Forgery in NocoDB Affects Webhook Notifications
CVE-2026-46548

4.3MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-46548?

NocoDB, a database building tool that operates like spreadsheets, has exposed a vulnerability in its webhook notification plugins for Slack, Discord, Mattermost, and Teams prior to version 2026.04.1. The issue arises from ineffective SSRF protection due to the httpAgent and httpsAgent being included in the request body instead of the axios configuration. This flaw allows authenticated users with hook-creation permissions to send outbound POST requests to internal hosts, potentially leading to unauthorized data exposure. The vulnerability has been addressed in version 2026.04.1, highlighting the importance of keeping NocoDB updated to mitigate risks.

Affected Version(s)

nocodb < 2026.04.1

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46548 Data

JSON

Nocodb

What is CVE-2026-46548?

Affected Version(s)

References

CVSS V3.1

Timeline