← Back to CVEs
CVE-2026-24767
MEDIUM4.9
Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue.
CVE Details
CVSS v3.1 Score4.9
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredLOW
User InteractionNONE
Published1/28/2026
Last Modified2/4/2026
Sourcenvd
Honeypot Sightings0
Affected Products
nocodb:nocodb
Weaknesses (CWE)
CWE-918
References
https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9(security-advisories@github.com)
https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.