MEDIUM
nocobase
CVE published 2026-07-07
CVE-2026-58468
CVE-2026-58468 is a server-side request forgery vulnerability in NocoBase through 2.1.20. Authenticated administrators can issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. This allows attackers to target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network [truncated]