CVE Catalog

CVE-2026-46548

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

NocoDB prior to version 2026.04.1 had non-functional SSRF protection in four notification webhook plugins (Slack, Discord, Mattermost, Teams). An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts.

Risk Assessment

This vulnerability could lead to unauthorized access to internal resources of the organization, posing a serious threat to data security.

Recommendation

It is recommended to update NocoDB to version 2026.04.1 or later to mitigate this vulnerability.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts. This vulnerability is fixed in 2026.04.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS