CVE-2026-24767 – NocoDB versions before 0.301.0 contain a blind ... (How to Fix)

Q: What is the severity of CVE-2026-24767?

CVE-2026-24767 has a CVSS score of 4.9 (MEDIUM). NocoDB versions before 0.301.0 contain a blind SSRF vulnerability in the uploadViaURL functionality. The initial HEAD request for metadata lacks SSRF validation, allowing attackers to make limited outbound requests to arbitrary URLs. This affects all NocoDB deployments using vulnerable versions.

📋 TL;DR

NocoDB versions before 0.301.0 contain a blind SSRF vulnerability in the uploadViaURL functionality. The initial HEAD request for metadata lacks SSRF validation, allowing attackers to make limited outbound requests to arbitrary URLs. This affects all NocoDB deployments using vulnerable versions.

💻 Affected Systems

Products:

NocoDB

Versions: All versions prior to 0.301.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with uploadViaURL functionality accessible.

📦 What is this software?

Nocodb by Nocodb

View all CVEs affecting Nocodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker could probe internal network services, potentially discovering internal infrastructure or conducting limited port scanning through outbound requests.

🟠

Likely Case

Limited information disclosure about internal network services or external service interaction through controlled outbound requests.

🟢

If Mitigated

Minimal impact as the subsequent file retrieval has proper SSRF controls, limiting the attack to metadata requests only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the uploadViaURL endpoint, which typically requires authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.301.0

Vendor Advisory: https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9

Restart Required: Yes

Instructions:

1. Update NocoDB to version 0.301.0 or later. 2. Restart the NocoDB service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable uploadViaURL functionality

all

Temporarily disable the vulnerable uploadViaURL endpoint until patching is possible.

Configure NocoDB to disable URL-based uploads through application settings or environment variables.

🧯 If You Can't Patch

Restrict network access to NocoDB instances to trusted users only.
Implement network segmentation to limit outbound connections from NocoDB servers.

🔍 How to Verify

Check if Vulnerable:

Check NocoDB version via web interface or API. If version is below 0.301.0, system is vulnerable.

Check Version:

Check NocoDB web interface dashboard or use API endpoint for version information.

Verify Fix Applied:

Confirm NocoDB version is 0.301.0 or higher and test uploadViaURL functionality with controlled test cases.

📡 Detection & Monitoring

Log Indicators:

Unusual HEAD requests to external or internal URLs from NocoDB server
Multiple failed upload attempts via URL

Network Indicators:

Outbound HTTP HEAD requests from NocoDB server to unusual destinations
Port scanning patterns from NocoDB server

SIEM Query:

source="nocodb" AND (http_method="HEAD" AND url_contains="http")

📊 Metadata

CVE ID: CVE-2026-24767

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-918

EPSS Score: 0.01% exploit probability (1th percentile)

Published: January 28, 2026

Last Updated: February 4, 2026

🔗 References

https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9 Exploit,Vendor Advisory
https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24767, you might also want to check these: