PatchSiren

nocobase CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM nocobase CVE published 2026-07-07

CVE-2026-58468

CVE-2026-58468 is a server-side request forgery vulnerability in NocoBase through 2.1.20. Authenticated administrators can issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. This allows attackers to target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network [truncated]