{"id":81655,"date":"2026-07-07T22:57:58","date_gmt":"2026-07-07T19:27:58","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-58468-nocobase-2-1-20-server-side-request-forgery-via-serverrequest-wrapper\/"},"modified":"2026-07-07T22:57:58","modified_gmt":"2026-07-07T19:27:58","slug":"cve-2026-58468-nocobase-2-1-20-server-side-request-forgery-via-serverrequest-wrapper","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-58468-nocobase-2-1-20-server-side-request-forgery-via-serverrequest-wrapper\/","title":{"rendered":"CVE-2026-58468 &#8211; NocoBase 2.1.20 Server-Side Request Forgery via serverRequest wrapper"},"content":{"rendered":"<p>CVE ID :CVE-2026-58468<\/p>\n<p>  Published : July 7, 2026, 7:27 p.m. | 20\u00a0minutes ago<\/p>\n<p>  Description :NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Attackers can target loopback addresses, RFC-1918 private ranges, and cloud instance metadata endpoints to perform internal network port enumeration, host discovery, and retrieval of IAM role credentials from the instance metadata service. v2.1.18 added a warning message for when SERVER_REQUEST_WHITELIST is not configured.<\/p>\n<p>  Severity: 5.5 | MEDIUM<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-58468 Published : July 7, 2026, 7:27 p.m. | 20\u00a0minutes ago Description :NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Attackers can &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-81655","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=81655"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81655\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=81655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=81655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=81655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}