{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40346", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.358Z", "datePublished": "2026-04-17T23:54:34.829Z", "dateUpdated": "2026-04-20T14:56:12.829Z"}, "containers": {"cna": {"title": "NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp"}, {"name": "https://github.com/nocobase/nocobase/pull/9079", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocobase/nocobase/pull/9079"}, {"name": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59"}, {"name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37"}], "affected": [{"vendor": "nocobase", "product": "@nocobase/plugin-workflow-request", "versions": [{"version": "< 2.0.37", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:54:34.829Z"}, "descriptions": [{"lang": "en", "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch."}], "source": {"advisory": "GHSA-mvvv-v22x-xqwp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:42:37.238641Z", "id": "CVE-2026-40346", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:56:12.829Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40346", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:42:37.238641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:42:38.711Z"}}], "cna": {"title": "NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins", "source": {"advisory": "GHSA-mvvv-v22x-xqwp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "nocobase", "product": "@nocobase/plugin-workflow-request", "versions": [{"status": "affected", "version": "< 2.0.37"}]}], "references": [{"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp", "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nocobase/nocobase/pull/9079", "name": "https://github.com/nocobase/nocobase/pull/9079", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59", "name": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37", "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:54:34.829Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40346", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:56:12.829Z", "dateReserved": "2026-04-10T22:50:01.358Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T23:54:34.829Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nocobase:nocobase:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4E4EE36-76CD-4996-9435-4B639291D20E", "versionEndExcluding": "2.0.37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch."}], "id": "CVE-2026-40346", "lastModified": "2026-05-13T20:53:48.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:38.360", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/nocobase/nocobase/pull/9079"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.37)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "@nocobase/plugin-workflow-request", "source": "cna", "vendor": "nocobase"}, "product": "nocobase", "vendor": "nocobase"}], "analysis": {"en": {"generated_at": "2026-04-18T08:44:31.008980+00:00", "value": {"mitigation_remediation": ["Upgrade NocoBase to version 2.0.37 or newer to apply the official fix.", "If an upgrade cannot be performed immediately, disable or uninstall the unsecured workflow HTTP request and custom request action plugins to stop the vulnerable functionality.", "Restrict the NocoBase server's outbound network policy to prevent access to internal IP ranges, cloud metadata IPs, and localhost where feasible.", "Monitor HTTP request logs for anomalous outbound connections that may indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "All installations of the NocoBase platform that use the workflow HTTP request or custom request action plugins prior to version 2.0.37 are affected. Users of the plugin with user-supplied URLs without SSRF filtering are at risk.", "description_and_impact": "NocoBase's workflow HTTP request plugin and custom request action plugin allow an authenticated user to send HTTP requests to any URL specified by the user. The plugins lack SSRF protection, meaning the server can be coerced into reaching internal network services, cloud metadata endpoints, and localhost. This flaw falls under CWE\u2011918 and provides a pathway for attackers to exfiltrate sensitive information or interact with internal resources the server can access.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity vulnerability. Although EPSS data is not available, the need for authenticated access combined with the ability to dial arbitrary endpoints means that once an attacker gains a legitimate user session, they can probe internal networks or cloud metadata services. The vulnerability is not listed in CISA's KEV catalog, but the ease of exploitation in controlled environments warrants immediate attention."}}}}, "created": "2026-04-18T08:45:41.388959+00:00", "updated": "2026-04-20T14:59:02.439209+00:00", "vendors": ["nocobase", "nocobase$PRODUCT$nocobase"]}