PatchSiren cyber security CVE debrief
CVE-2026-58468 nocobase CVE debrief
CVE-2026-58468 is a server-side request forgery vulnerability in NocoBase through 2.1.20. Authenticated administrators can issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. This allows attackers to target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. Version 2.1.18 added a warning message for when SERVER_REQUEST_WHITELIST is not configured. The vulnerability has a CVSS score of 5.1 and a severity of MEDIUM. To mitigate the risk, administrators and users of NocoBase versions up to 2.1.20 should be aware of this vulnerability and take necessary actions.
- Vendor
- nocobase
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Administrators and users of NocoBase versions up to 2.1.20 should be aware of this vulnerability and take necessary actions to mitigate the risk. This vulnerability can be used to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. Affected operators should review system logs for suspicious activity, and security teams should prioritize patching or mitigating the vulnerability.
Technical summary
The vulnerability exists in the serverRequest wrapper of NocoBase, allowing authenticated administrators to issue arbitrary outbound HTTP requests. This can be exploited by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. The vulnerability can be used to target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints. Attackers can use this to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. Version 2.1.18 added a warning message for when SERVER_REQUEST_WHITELIST is not configured, but this does not prevent exploitation. To address this vulnerability, defenders should prioritize patching or mitigating the vulnerability, thoroughly verify mitigation effectiveness through thorough log review and vulnerability scanning after patching or mitigation deployment, and consider compensating controls like network segmentation or stricter access controls for sensitive metadata services and internal networks that could be targeted through this vulnerability in NocoBase deployments up to version 2.1.20.
Defensive priority
High with urgent priority for NocoBase deployments exposed to untrusted administrators or with internet-exposed management interfaces, and for cloud instances with sensitive metadata services that could be targeted through this vulnerability. The vulnerability allows for internal network port enumeration, host discovery, and retrieval of IAM role credentials, making it a high-priority issue for defenders to address promptly and thoroughly verify mitigation effectiveness through thorough log review and vulnerability scanning after patching or mitigation deployment, and consider compensating controls like network segmentation or stricter access controls for sensitive metadata services and internal networks that could be targeted through this vulnerability in NocoBase deployments up to version 2.1.20, especially where SERVER_REQUEST_WHITELIST is not configured or is insufficiently restrictive to prevent exploitation of internal networks and cloud instance metadata services by authenticated administrators abusing the serverRequest wrapper in workflow request nodes, custom request action buttons, or the AI plugin with malicious URLs supplied by attackers to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service, which can be targeted through loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints that are accessible to authenticated administrators in affected NocoBase deployments up to version 2.1.20 where SERVER_REQUEST_WHITELIST is not configured or is insufficiently restrictive to prevent exploitation of internal networks and cloud instance metadata services by authenticated administrators abusing the serverRequest wrapper in workflow request nodes, custom request action buttons, or the AI plugin with malicious URLs supplied by attackers to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service, which can be targeted through loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints that are accessible to authenticated administrators in affected NocoBase versions
Recommended defensive actions
- Update NocoBase to version 2.1.21 or later
- Configure SERVER_REQUEST_WHITELIST to restrict outbound HTTP requests
- Monitor network traffic for suspicious activity
- Implement additional security measures to protect against internal network port enumeration and host discovery
- Review system logs for suspicious activity related to workflow request nodes, custom request action buttons, or the AI plugin
- Perform vulnerability scanning after patching or mitigation deployment
- Verify mitigation effectiveness through thorough log review
Evidence notes
The CVE record was published on 2026-07-07T20:16:29.240Z and has not been modified since then. The NVD entry is currently 5.1 MEDIUM. Limited evidence is available from the CVE and NVD entries, and further investigation is recommended by verifying the official vendor advisory for NocoBase and reviewing system logs for suspicious activity related to workflow request nodes, custom request action buttons, or the AI plugin. The vulnerability allows authenticated administrators to issue arbitrary outbound HTTP requests, which can be used to target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T20:16:29.240Z and has not been modified since then.