CVE-2026-24767

low-risk
Published 2026-01-28

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Nocodb

References (2)

Exploit https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9
Exploit https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9
21
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal