๐Ÿ” CVE Alert

CVE-2026-58468

MEDIUM 5.5

NocoBase 2.1.20 Server-Side Request Forgery via serverRequest wrapper

CVSS Score
5.5
EPSS Score
0.2%
EPSS Percentile
10th

NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Attackers can target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. v2.1.18 added a warning message for when SERVER_REQUEST_WHITELIST is not configured.

CWE CWE-918
Vendor nocobase
Product nocobase
Published Jul 7, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for nocobase nocobase

Be the first to know when new medium vulnerabilities affecting nocobase nocobase are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

nocobase / nocobase
0 โ‰ค 2.1.20

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/nocobase/nocobase/issues/9962 github.com: https://github.com/nocobase/nocobase/pull/9966 github.com: https://github.com/nocobase/nocobase/commit/5706fb48d9bbe190f9e0044c6d5c87fc5b68c7f1 vulncheck.com: https://www.vulncheck.com/advisories/nocobase-server-side-request-forgery-via-serverrequest-wrapper

Credits

George Chen