Description
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
Published: 2026-04-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

NocoBase's workflow HTTP request plugin and custom request action plugin allow an authenticated user to send HTTP requests to any URL specified by the user. The plugins lack SSRF protection, meaning the server can be coerced into reaching internal network services, cloud metadata endpoints, and localhost. This flaw falls under CWE‑918 and provides a pathway for attackers to exfiltrate sensitive information or interact with internal resources the server can access.

Affected Systems

All installations of the NocoBase platform that use the workflow HTTP request or custom request action plugins prior to version 2.0.37 are affected. Users of the plugin with user-supplied URLs without SSRF filtering are at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability. Although EPSS data is not available, the need for authenticated access combined with the ability to dial arbitrary endpoints means that once an attacker gains a legitimate user session, they can probe internal networks or cloud metadata services. The vulnerability is not listed in CISA's KEV catalog, but the ease of exploitation in controlled environments warrants immediate attention.

Generated by OpenCVE AI on April 18, 2026 at 08:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoBase to version 2.0.37 or newer to apply the official fix.
  • If an upgrade cannot be performed immediately, disable or uninstall the unsecured workflow HTTP request and custom request action plugins to stop the vulnerable functionality.
  • Restrict the NocoBase server's outbound network policy to prevent access to internal IP ranges, cloud metadata IPs, and localhost where feasible.
  • Monitor HTTP request logs for anomalous outbound connections that may indicate exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 08:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mvvv-v22x-xqwp NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins
History

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
Title NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T23:54:34.829Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40346

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T00:16:38.360

Modified: 2026-04-18T00:16:38.360

Link: CVE-2026-40346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses