CVE-2026-58468 in NocoBaseinfo

Summary

by MITRE • 07/07/2026

NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Attackers can target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. v2.1.18 added a warning message for when SERVER_REQUEST_WHITELIST is not configured.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

This vulnerability exists within NocoBase versions 2.1.20 and earlier, specifically in the serverRequest wrapper functionality that processes outbound HTTP requests. The flaw represents a critical server-side request forgery vulnerability that allows authenticated administrators to bypass normal network restrictions and initiate arbitrary outbound HTTP requests to any destination. The vulnerability manifests when malicious URLs are provided through workflow request nodes, custom request action buttons, or the AI plugin components, creating an attack surface where legitimate administrative privileges can be exploited for unauthorized network access.

The technical implementation of this vulnerability stems from insufficient validation of outbound request destinations within the serverRequest wrapper mechanism. When administrators configure workflow nodes or custom action buttons that make HTTP requests, the application fails to properly sanitize or restrict the target URLs, allowing attackers to specify addresses that would normally be restricted by network policies. This includes loopback addresses such as 127.0.0.1 and ::1, private RFC-1918 address ranges like 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, as well as cloud instance metadata endpoints that provide sensitive IAM role credentials.

The operational impact of this vulnerability is severe and multifaceted. Attackers can leverage this weakness to perform internal network reconnaissance by enumerating open ports on internal hosts, discovering active services, and mapping the internal network topology. The ability to access cloud instance metadata services creates opportunities for credential theft, allowing attackers to obtain temporary security credentials that may provide elevated privileges within cloud environments. This vulnerability effectively transforms a legitimate administrative tool into a vector for internal network penetration testing and privilege escalation attacks.

Organizations using affected NocoBase versions should immediately implement mitigations including configuring the SERVER_REQUEST_WHITELIST environment variable to restrict outbound requests to known good domains, implementing network-level restrictions to block access to private address ranges and metadata endpoints, and conducting thorough code reviews of workflow configurations and custom action buttons. The vulnerability aligns with CWE-918 Server-Side Request Forgery and maps to ATT&CK technique T1071.004 Application Layer Protocol DNS, though more specifically relates to T1566.002 Phishing: Spearphishing Attachment and T1046 Network Service Scanning. Security teams should also consider implementing network monitoring to detect anomalous outbound HTTP requests that may indicate exploitation attempts. The vulnerability demonstrates the importance of proper input validation and the principle of least privilege in web application security, particularly when dealing with administrative functions that handle external communications.

Responsible

VulnCheck

Reservation

06/30/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!