CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-58468

mediumCVSS 5.5covered by 1 sourcefirst seen 2026-07-07
NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Attackers can target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. v2.1.18 added a warning message for when SERVER_REQUEST_WHITELIST is not configured.

⚡ Watch CVE-2026-58468

Get an email if CVE-2026-58468 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-58468

CVE.org record

Embed the live status

CVE-2026-58468 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-58468 status](https://www.csirts.com/badge/CVE-2026-58468)](https://www.csirts.com/cve/CVE-2026-58468)