Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Admin authentication (PR:H) required; scope changes to cloud/internal systems (S:C) with high confidentiality impact from IAM credential retrieval (C:H).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Attackers can target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. v2.1.18 added a warning message for when SERVER_REQUEST_WHITELIST is not configured.
AnalysisAI
Server-side request forgery in NocoBase through v2.1.20 allows authenticated administrators to issue arbitrary outbound HTTP requests via the serverRequest wrapper, enabling internal network enumeration and cloud instance metadata exfiltration. The attack surface spans workflow request nodes, custom request action buttons, and the AI plugin - all of which accept administrator-supplied URLs without adequate server-side validation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with NocoBase administrator-level privileges - the attack cannot be performed by unauthenticated users or lower-privilege roles. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N, score 5.1) accurately captures that exploitation requires high-privilege authentication, which is the primary limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained NocoBase administrator credentials - through phishing, credential stuffing, or insider access - creates a workflow request node or custom action button supplying the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ as the target. The NocoBase server fetches this URL from its own network context, returning the list of attached IAM roles; a follow-up request to the role-specific endpoint yields temporary AWS access key, secret, and session token, granting the attacker cloud-level privileges. … |
| Remediation | Apply the upstream fix by pulling the commit 5706fb48d9bbe190f9e0044c6d5c87fc5b68c7f1 from https://github.com/nocobase/nocobase/commit/5706fb48d9bbe190f9e0044c6d5c87fc5b68c7f1 or tracking PR #9966 at https://github.com/nocobase/nocobase/pull/9966; a formally versioned patched release is not independently confirmed, so verify release notes for a version beyond 2.1.20. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in NocoBase's @nocobase/plugin-notification-in-app-message (before 2.0.61) lets any signed-up authenticate
PostgreSQL password hash disclosure in NocoBase 2.0.59 and earlier allows an authenticated administrator to extract pg_s
Command injection in NocoBase's @nocobase/plugin-backups prior to v2.1.19 allows an authenticated backup-management user
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42076
GHSA-mcxg-3vgg-9774