NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)
Description
Summary
The request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts.
Details
axios.post(url, data, config) expects connection agents in the third (config) argument. In all four plugins, the agents were placed in the second (data) argument and serialised as JSON body content:
// packages/nocodb/src/plugins/slack/Slack.ts (and Discord / Mattermost / Teams — identical pattern)
return await axios.post(webhook_url, {
text,
httpAgent: useAgent(webhook_url), // wrong position — serialised, not used
httpsAgent: useAgent(webhook_url),
});
The webhook flow: an Editor+ user creates a webhook with notification.payload.channels[].webhook_url pointing to an internal host; on trigger, WebhookInvoker.invoke() calls the plugin's sendMessage() which performs the outbound axios.post with no SSRF filtering applied.
This is distinct from GHSA-xr7v-j379-34v9, which covers a blind SSRF via HEAD in the upload-by-URL path.
Impact
- Authenticated user (Editor+) can reach cloud-metadata endpoints (
169.254.169.254) and internal services. - Combined with verbose hook logging (
NC_AUTOMATION_LOG_LEVEL=ALL), response bodies may be exfiltrated.
Credit
This issue was reported by @ik0z.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SSRF protection in NocoDB notification webhook plugins was bypassed due to misplacement of httpAgent/httpsAgent in axios request body instead of config, allowing authenticated users to target internal hosts.
Vulnerability
CVE-2026-46548 describes a server-side request forgery (SSRF) protection bypass in NocoDB's notification webhook plugins for Slack, Discord, Mattermost, and Teams. The root cause is that httpAgent and httpsAgent intended to restrict outbound requests were incorrectly placed in the data argument of axios.post() instead of the config argument, causing them to be serialized into the request body and never applied to the actual connection [1][2].
Exploitation
An authenticated user with Editor+ role can create a webhook notification and set the webhook_url to point to an internal host (e.g., cloud metadata endpoints at 169.254.169.254). When the webhook is triggered, the plugin executes the vulnerable axios.post call, sending an outbound POST request to the attacker-controlled URL with no SSRF filtering [1][2].
Impact
Successful exploitation allows the attacker to reach internal services that are not exposed to the internet, potentially leaking sensitive information. If NocoDB is configured with NC_AUTOMATION_LOG_LEVEL=ALL, response bodies from internal hosts may be exfiltrated through verbose logging [1][2].
Mitigation
This vulnerability is distinct from a previously reported blind SSRF (GHSA-xr7v-j379-34v9). Users should update to the latest patched version of NocoDB once available and restrict webhook creation privileges to trusted users. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.