CVE-2026-40346
EUVD-2026-2361318.04.2026, 00:16
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| nocobase | nocobase | 𝑥 < 2.0.37 |
𝑥
= Vulnerable software versions