Skip to main content

NocoBase CVE-2026-58468

| EUVDEUVD-2026-42076 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-07 VulnCheck GHSA-mcxg-3vgg-9774
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.6 HIGH

Admin authentication (PR:H) required; scope changes to cloud/internal systems (S:C) with high confidentiality impact from IAM credential retrieval (C:H).

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 20:22 vuln.today

DescriptionCVE.org

NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Attackers can target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. v2.1.18 added a warning message for when SERVER_REQUEST_WHITELIST is not configured.

AnalysisAI

Server-side request forgery in NocoBase through v2.1.20 allows authenticated administrators to issue arbitrary outbound HTTP requests via the serverRequest wrapper, enabling internal network enumeration and cloud instance metadata exfiltration. The attack surface spans workflow request nodes, custom request action buttons, and the AI plugin - all of which accept administrator-supplied URLs without adequate server-side validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as NocoBase administrator
Delivery
Navigate to workflow node or AI plugin
Exploit
Supply malicious URL (169.254.169.254 or RFC-1918 target)
Execution
Server issues outbound HTTP request via serverRequest wrapper
Persist
Retrieve IAM role credentials or enumerate internal hosts
Impact
Escalate to cloud account compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with NocoBase administrator-level privileges - the attack cannot be performed by unauthenticated users or lower-privilege roles. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N, score 5.1) accurately captures that exploitation requires high-privilege authentication, which is the primary limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained NocoBase administrator credentials - through phishing, credential stuffing, or insider access - creates a workflow request node or custom action button supplying the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ as the target. The NocoBase server fetches this URL from its own network context, returning the list of attached IAM roles; a follow-up request to the role-specific endpoint yields temporary AWS access key, secret, and session token, granting the attacker cloud-level privileges. …
Remediation Apply the upstream fix by pulling the commit 5706fb48d9bbe190f9e0044c6d5c87fc5b68c7f1 from https://github.com/nocobase/nocobase/commit/5706fb48d9bbe190f9e0044c6d5c87fc5b68c7f1 or tracking PR #9966 at https://github.com/nocobase/nocobase/pull/9966; a formally versioned patched release is not independently confirmed, so verify release notes for a version beyond 2.1.20. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy