Vulnerability Brief
CVE-2026-46548
What this means for your business
A security vulnerability in the Slack notification webhook plugin in NocoDB means that an attacker could potentially send malicious requests to internal servers within your organization, potentially causing harm or disrupting operations. This could happen if an authorized user with permission to set up webhooks was tricked into sending requests to the wrong place. Fortunately, the issue has been fixed in the latest version of NocoDB, so updating to the latest version should resolve the problem.
- Severity: MEDIUM
- CVSS score: 4.3
Technical summary
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts. This vulnerability is fixed in 2026.04.1.