Server-side Request Forgery (SSRF) Affecting nocodb package, versions >=0.107.0-beta.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-NOCODB-16875135
- published26 May 2026
- disclosed21 May 2026
- creditik0z
Introduced: 21 May 2026
NewCVE-2026-46548 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
nocodb is a NocoDB
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the sendMessage methods in the Discord, Mattermost, Slack, and Teams webhook adapters. An attacker can make the server send requests to attacker-controlled URLs by supplying a webhook_url in payload.channels, causing the application to connect to arbitrary internal or external endpoints and leak request traffic through the webhook delivery path.
Workarounds
- Restrict webhook creation and editing to trusted authenticated users only, because an authenticated user with hook-creation permission can point
notification.payload.channels[].webhook_urlat internal or attacker-controlled hosts and trigger outbound requests through the webhook delivery path. - Avoid enabling verbose hook logging with
NC_AUTOMATION_LOG_LEVEL=ALL, because it can expose response bodies from the SSRF-triggered webhook requests and increase the amount of data an attacker can exfiltrate.