Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40346

CVE-2026-40346: NocoBase SSRF Vulnerability

CVE-2026-40346 is an SSRF flaw in NocoBase no-code platform that allows authenticated users to access internal network services and cloud metadata endpoints. This post covers technical details, affected versions, and patches.

Published:

CVE-2026-40346 Overview

CVE-2026-40346 is a Server-Side Request Forgery (SSRF) vulnerability affecting NocoBase, an AI-powered no-code/low-code platform designed for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without implementing any SSRF protection mechanisms. This flaw allows an authenticated user to access internal network services, cloud metadata endpoints, and localhost resources, potentially leading to unauthorized data exposure and lateral movement within the target infrastructure.

Critical Impact

Authenticated attackers can leverage this SSRF vulnerability to probe internal network infrastructure, access cloud instance metadata services (such as AWS IMDSv1, GCP metadata, or Azure IMDS), and potentially exfiltrate sensitive credentials or configuration data from otherwise protected resources.

Affected Products

  • NocoBase versions prior to 2.0.37
  • NocoBase workflow HTTP request plugin (unpatched versions)
  • NocoBase custom request action plugin (unpatched versions)

Discovery Timeline

  • 2026-04-18 - CVE CVE-2026-40346 published to NVD
  • 2026-04-20 - Last updated in NVD database

Technical Details for CVE-2026-40346

Vulnerability Analysis

This SSRF vulnerability (CWE-918) exists because NocoBase's HTTP request functionality accepts user-controlled URLs without proper validation or sanitization. When an authenticated user configures a workflow or custom action that performs HTTP requests, the server blindly follows the provided URL, making requests on behalf of the user from the server's network context.

The vulnerable components—the workflow HTTP request plugin and custom request action plugin—are designed to enable integration with external services. However, without URL allowlisting, protocol restrictions, or network segmentation controls, these plugins become vectors for internal network reconnaissance and data exfiltration.

Root Cause

The root cause of this vulnerability is the absence of SSRF protection mechanisms in the HTTP request handling code. The plugins do not implement:

  • URL scheme validation (allowing file://, gopher://, or other dangerous protocols)
  • Hostname/IP address blocklisting for internal ranges (e.g., 127.0.0.1, 169.254.169.254, RFC 1918 addresses)
  • DNS rebinding protections
  • Request destination validation against an allowlist

This oversight enables attackers to craft malicious URLs that resolve to internal network resources or cloud metadata endpoints.

Attack Vector

The attack requires network access and low-privilege authenticated access to the NocoBase platform. An attacker can exploit this vulnerability through the following attack pattern:

  1. Authenticate to the NocoBase platform with a valid user account
  2. Create or modify a workflow that includes an HTTP request action
  3. Configure the HTTP request URL to target an internal resource (e.g., http://169.254.169.254/latest/meta-data/ for AWS metadata or http://localhost:8080/admin)
  4. Execute the workflow and observe the response, which may contain sensitive internal data

Since the HTTP request originates from the server itself, it bypasses perimeter security controls and may access resources that are explicitly restricted from external access.

Detection Methods for CVE-2026-40346

Indicators of Compromise

  • Unusual HTTP requests originating from the NocoBase server to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal, 169.254.170.2)
  • Workflow configurations containing URLs pointing to localhost or internal hostnames
  • Unexpected DNS queries from the NocoBase server resolving to internal addresses

Detection Strategies

  • Implement network monitoring to detect outbound connections from the NocoBase server to internal network segments
  • Configure egress filtering rules and alert on violations from application servers
  • Audit workflow configurations and custom request actions for suspicious URL patterns
  • Monitor cloud provider logs for unusual metadata service access patterns

Monitoring Recommendations

  • Enable comprehensive logging for all HTTP requests made by NocoBase workflow and custom action plugins
  • Deploy a Web Application Firewall (WAF) capable of inspecting outbound requests for SSRF patterns
  • Implement anomaly detection for the NocoBase application server's network behavior
  • Set up alerts for any access attempts to cloud metadata services from application tier instances

How to Mitigate CVE-2026-40346

Immediate Actions Required

  • Upgrade NocoBase to version 2.0.37 or later immediately
  • Audit existing workflows and custom actions for any suspicious or unauthorized URL configurations
  • Implement network-level controls to restrict outbound connections from the NocoBase server
  • Review access logs for any signs of exploitation prior to patching

Patch Information

NocoBase has released version 2.0.37 which contains the security fix for this SSRF vulnerability. The patch is available through the following resources:

Workarounds

  • Restrict network egress from NocoBase servers using firewall rules to block access to internal networks and cloud metadata endpoints
  • Implement a forward proxy that validates and allowlists permitted destination URLs for HTTP requests
  • Disable the workflow HTTP request plugin and custom request action plugin if not required for business operations
  • Use network segmentation to isolate NocoBase servers from sensitive internal resources
bash
# Example iptables rules to block common SSRF targets
# Block access to cloud metadata endpoints
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 169.254.170.2 -j DROP

# Block access to internal network ranges (adjust as needed)
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP

# Block localhost access from the application
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne