Vulnerability DatabaseCVE-2026-40346

CVE-2026-40346:
JavaScript vulnerability analysis and mitigation

Summary

NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost.

Vulnerable Code

1. Workflow HTTP Request Plugin

packages/plugins/@nocobase/plugin-workflow-request/src/server/RequestInstruction.ts lines 117-128:

return axios.request({
  url: trim(url),  // User-controlled, no validation
  method,
  headers,
  params,
  timeout,
  ...(method.toLowerCase() !== 'get' && data != null
    ? { data: transformer ? await transformer(data) : data }
    : {}),
});

The url at line 98 comes directly from user workflow configuration with only whitespace trimming.

2. Custom Request Action Plugin

packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts lines 172-198:

const axiosRequestConfig = {
  baseURL: ctx.origin,
  ...options,
  url: getParsedValue(url, variables),  // User-controlled via template
  headers: { ... },
  params: getParsedValue(arrayToObject(params), variables),
  data: getParsedValue(toJSON(data), variables),
};
const res = await axios(axiosRequestConfig);  // No IP validation

Missing Protections

No request-filtering-agent or SSRF library (confirmed via grep across entire codebase)
No private IP range filtering
No cloud metadata endpoint blocking
No URL scheme validation
No DNS rebinding protection

Attack Scenario

Authenticated user creates a workflow with HTTP Request node
Sets URL to http://169.254.169.254/latest/meta-data/iam/security-credentials/
Triggers the workflow
Server fetches AWS metadata and returns IAM credentials in workflow execution logsAlternatively via Custom Request action:
Create custom request with URL http://127.0.0.1:5432 or http://10.0.0.1:8080/admin
Execute the action
Server makes request to internal service

Impact

Cloud metadata theft: AWS/GCP/Azure credentials via metadata endpoints
Internal network access: Scan and interact with services on private IP ranges
Database access: Connect to localhost databases (PostgreSQL, Redis, etc.)
Authentication required: Yes (authenticated user), but any workspace member can create workflows

Source: NVD

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-39884	HIGH	8.3	JavaScript	mcp-server-kubernetes	No	Yes	Apr 15, 2026
GHSA-26wg-9xf2-q495	HIGH	8.1	JavaScript	novu/api	No	Yes	Apr 14, 2026
CVE-2026-33806	HIGH	7.5	JavaScript	fastify	No	Yes	Apr 15, 2026
GHSA-43fj-qp3h-hrh5	MEDIUM	6.9	JavaScript	@sync-in/server	No	Yes	Apr 15, 2026
CVE-2026-40346	MEDIUM	6.4	JavaScript	@nocobase/plugin-workflow-request	No	Yes	Apr 15, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2026-40346: JavaScript vulnerability analysis and mitigation